How to configure Palo Alto Networks Wildfire Analysis | PAN-OS 9.1

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey guys welcome to mb tech talker my name is matt so in this video i'm going to explain what wi-fi analysis does and how to configure wildfire security profiles and use them in your security policies i'm going to be doing all of this using a vm series palo alto next generation firewall inside of vmware workstation okay so what is wildfire well wildfire provides detection and prevention of zero-day malware using a combination of static dynamic and bare metal analysis wi-fi extends the capabilities of the palo alto network's next generation firewall to identify and block unknown malware the palo alto networks firewall can be configured and instructed to forward files and urls to the wildfire cloud by attaching a wildfire analysis security profile to security policies a virtual sandbox analyzes the file sample's behavior properties and activities to determine if the sample is benign gray wear phishing or malware and if the new malware isn't detected wildfire generates signatures so the palo alto network's fireworks can consume and recognize newly discovered malware in order to block the threat with an active wildfire license latest signatures are available globally every five minutes firewalls without a wi-fi subscription license get the signature updates the following day okay so there are three ways to deploy wildfire so firstly we have the wildfire public cloud option this is where the palo alto network's firewall forwards file samples to the wi-fi cloud which is owned and maintained by palo alto networks secondly we've got the wildfire private cloud this is where palo alto next generation firewalls forward files to an on-premise wf-500 appliance so that's a dedicated wildfire appliance where local sandboxing takes place within the customer's private cloud however benign or greyware files never leave the customer's network and then thirdly we have a wildfire hybrid cloud this is where the firewalls can be configured to send specific file samples to either the wildfire public cloud or to the privately hosted wf-500 appliance okay so let's talk a little bit about wildfire file analysis a palo alto networks firewall configured with a wildfire analysis security profile forwards samples to wildfire based on file type which includes email links the firewall uses protocol decoders to decode files that have been encoded or compressed up to four times such as files in a zip format there are a plethora of files that are supported for wildfire forwarding this includes apks so android application package flash so adobe flash applets and flash content embedded in web pages jar files so that's java applets ms office files so microsoft obviously including doc xls ppt uh openxml etc then we have pe which is portable executable files pdfs mac os x so mac o dmg and package files email links in http and https links contained in smtp and pop3 email messages then archive files like raw or 7-zip uh linux executable unlinkable format which is l files and also script files like javascript vbscript powershell script but html application so there are so many files that can be sent up to wildfire for analysis so i briefly wanted to touch upon wildfire verdicts so when wildfire analyzes a previously unknown sample in the palo alto network's hosted wildfire global cloud or a locally hosted wildfire private cloud a verdict is produced to identify samples as either malicious gray wear fishing or benign fission is a url only verdict and there is a c2 response verdict as well but this is only available through the wirefire slash autofocus api um on the firewall this type will be classed as malware okay so we've discussed the building blocks of wildfire analysis but how does this actually work so let's go through a scenario let's say a user downloads an email file attachment the firewall hashes the file and checks to see if there is already a verdict if no matches are fined the firewall uploads the files and session data to wildfire so now that the file has been uploaded to wildfire wildfire performs a static analysis using machine learning to understand the characteristics of the sample and classifies malicious features wi-fi generates a verdict for the malware wi-fi then executes the malicious file within a customized virtual machine using dynamic analysis to fully understand the intricacies of the file wi-fi continues to examine the file using the heuristics engine and determines that it shows suspicious behavior at this point the heuristics engine sends the fire for bare metal analysis the wildfire bare metal analysis environment detonates the file wildfire then produces detailed forensics data that is used by autofocus and to create reports that are available to view within the wi-fi portal submission logs and analysis reports wi-fi then generates new dns url categorization and anti-virus signatures for the new threat which are then in turn added to the next wi-fi update package and becomes available to customer firewalls with a valid wi-fi threat license within five minutes okay so we're going to move into the lab now so i've logged into the file already i'm on the primary firewall so first thing we're going to do is check that we've got a valid license so if we head over to the device tab and then go down to licenses and what we're looking for is the wildfire license and confirm that is definitely valid which in my lab it is next thing we're going to do is uh going configure the deployment type so we go over to back to setup and then we're going to go to wildfire and then we're going to click on general settings i'm going to confirm that in this lab i'm going to be using the public cloud so wildfire.palo alto networks.com i'm going to keep the file size limits default these can be adjusted in the production environment and for the reporting i'm going to report on both benign files and greyware and then click ok i just wanted to take a a couple of minutes just to uh discuss uh a wire file best practice if your palo alto network file is decrypting ssl traffic ensure that you allow forwarding of decrypted content is checked in the content id settings so in order to do that you need to go to device and then content id and then click on the cog in content id settings and then you'll notice this allow forwarding of decrypted content isn't checked so i'm going to tick that and then click ok now let's just click on the help page and let's go and read what it says under the content id settings allow forwarding of decrypted content enable this option to configure the firewall to forward decrypted content to an outsized service when port mirroring or sending wi-fi files for analysis enable this option and send all unknown files in decrypted traffic to wild file for analysis now make sure you don't overlook this if your firewall is decrypting ssl traffic then you need to do a little bit of research and just investigate if this needs to be set and now as far as you can send this shouldn't be overlooked okay so on to the next step um we're going to configure the wi-fi analysis security profile to define what samples should be sent up to wildfire so we're going to do that by going to objects and then security profiles and then wildfire analysis and what we're going to do here is is clone this default one click ok and then i'm just going to name this outbound wf that conforms with the naming convention that i've already got set in the firewall and then i'm going to change this rule to all files it's going to allow any application any file types the directions is both and the analysis is going to the public cloud and then click ok ok so the next part of the configuration is to add the new wi-fi security profile to the existing general internet access security rule so if i go to the policies tab you'll see the general internet access and as you can see there is already a profile tethered to the policy so in my previous video i created multiple signature-based security profiles and added each profile to a security profile group so if i go back to object and click on security profile groups you'll see i have outbound inbound internal and default now the one the the security profile group on the general internet rule is called outbound and if i open that you can see i've got anti-fire profile anti-spyware profile and vulnerability protection profile configured or selected in this group now i've got two choices i can either go back to the policy and open up the general internet access rule go to the actions tab and as you can see i got profile group but at the moment the wi-fi analysis security profile group isn't in that group profile so i could select profiles and then individually select each one of these or i can leave that at as group and leave it as group profile go back to objects and then go into the security provider security profile groups and then click on outbound and then i can simply choose the outbound wi-fi analysis profile that i created a few steps back and then click ok by doing that that's now been added as you can see it's been added here so that means that is now ready to go in that policy so at this point wi-fi is now completely configured on the firewall we have got the security profiles attached to to this general internet access rule it's going to scan all the traffic and the wildfire security profile will just do its job now the the final thing we need to check and to confirm is that the dynamic updates are correct for wildfire so if we go to device tab and then dynamic updates we go down to wildfire you can see we've got a schedule configured so it's going to check every minute it's going to download and install and then it's going to sync to the hp so we are good to go wildfire is now completely configured and it will just be left to its own devices to do the work and once we start getting traffic coming through that policy we will be able to see the wildfire submissions in the monitor tab under wi-fi submissions and your logs will start coming in here with the verdicts don't forget to commit your changes and that's the end of the lab okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto firewall features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas or video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks
Info
Channel: MB Tech Talker
Views: 340
Rating: undefined out of 5
Keywords: palo alto networks, palo alto firewall tutorial, palo alto networks firewall, palo alto networks wildfire wf-500, wildfire analysis, wildfire analysis profile, wildfire analysis verdicts, wildfire analysis in palo alto
Id: Yed98-qemM8
Channel Id: undefined
Length: 14min 7sec (847 seconds)
Published: Fri Apr 16 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.