1. 8.1 Wildfire concepts
In this video, we are covering PCNSAn210, lwhichclouda 2ChapterhEight our chapter eigAnalysis. re Virus Analysis. Now this is chapter eighteen of chapter eight, which is 8.1. Wildfire threat Threat Intelligence Cloud Now, malware has become more powerful. It has also become more targeted and customized for a particular network. This customization helps the malware to avoid traditional additional signature based anti malware solutions. Palo Alto Network firewalls across the world forward unknown files and URL links found in emails to the Wildfire Threat Intelligent Global Cloud or to one of the three regional clouds that are located in Europe, Japan, and Singapore. Now, each Wildfire cloud analyses samples and generates malware signatures and verdicts independently of the others, and the verdicts could be benign, gray ware, malware, or phishing. Now, benign means that it’s safe and does not exhibit malicious behavior. Gray ware means that there is no security thread, but it might display obstructive behavior. Examples will include adware, spyware, and browser helper objects, or places where there could be malware. Now, malware is malicious in nature and intent and can pose a security threat. Examples include viruses, worms, Trojan horses, remote access tools, rootkits, and botnets.
Over diction could be phishing based on the properties and behaviors the website displays. Wildfire signatures and verdicts are then shared globally, which enables Wildfire users worldwide to benefit from malware coverage regardless of the location where the malware was first detected. Now, Wildfire users worldwide can also use the Wildfire XML API or Wildfire Dashboard to manually upload files to Wildfire for analysis. Now, Wildfire is a cloud-based virtual sandbox that is used to evaluate unknown files and URL links found in emails. The evaluation occurs in Android, Linux, Mac OSX, Windows XP, Windows Seven, and Windows Ten. Wildfire Operations Overview When the firewall encounters a file, it will check whether the file is signed by a trusted signer.
If the answer is yes, then the firewall trusts that the file does not have any hidden malware and allows the file to be delivered. If the answer is no, then the firewall will create a hash number and check whether the file has been sent to the wildfire before; if it has, then it will look at the verdict the wildfire has generated. For example, if the verdict is denied, then the file will be allowed. Same for gray ware, and if the verdict is “fishing,” the file will be denied. And if the verdict was malware, it was definitely denied. If it hasn’t been seen by Wildfire before, we’ll check that the file size is less than the configured maximum. Now we have a maximum firewall for Wildfire transmission size. If it’s not less than the maximum, then we’ll allow the file to go through. If it is, then we’ll send it to Wildfire for analysis.
Now Wildfire will generate their own hash, and then they will generate their own verdict, either benign, with gray ware, phishing, or malware, and it will immediately inform the firewall to send that file for analysis, and it will update the file list and generate a signature if it was malware. And it will send the signature to other firewalls, for example, immediately. For Wildfire subscriptions or with daily threat updates, wildfire protects email email with attachment or Unlink sent to the Wildfire for analysis. If Wildfire determines that the URL link included in the email is malicious, it quickly updates the antivirus software and the Palo Alto network database to prevent further compromises of other hosts around the world. If you have a Wildfire and Palo Alto Network database license, your firewall can block access to newly discovered malware and phishing sites in as few as five minutes. So we have content packages and Wildfire updates, so updates every five minutes are available for URL updates, and this will be downloaded dynamically, so you don’t need to schedule the download. But it does require you to have an URL filtering license available for five minutes. We have antivirus signatures as well, so Wildfire signatures are pulled each minute. And it does require Wildfire license. All these updates will be available for 24 to 48 hours. Anyone that has a threat prevention license has things like antivirus signatures that will be downloaded daily, but it does require you to have a threat prevention license standard and license functionality. Standard subscription: with a Threat Prevention License, they will have access to standard Wildfire subscription services.
And the standard subscription services includes files and URL analysis on Windows Seven and Windows XP virtual machine. And automatically, you can submit unknown Windows portable executable files as well as antivirus signatures that will be delivered via a daily dynamic content update. But you do require a threat prevention license. This is for your standard Wildfire subscription. If you have a Wildfire license, then it will require you to have everything under the standard subscription as well as additional file types and antivirus Wildfire signatures, updates every five minutes, an application programmer interface, and API file submission. And this Wildfire licence will give you access to a Wildfire private cloud appliance called WF 500. Now, this WF 500 appliance will be able to analyse files forwarded from your Palo Alto network firewalls or from the Wildfire XML APIs. Locally, it only supports Windows XP and Windows Seven virtual environments, so it will locally analyse unknown files and files or URLs found in emails. So the good thing here is that your files will never leave your network and no.
APK files stored locally will generate antivirus signatures and categorise URL signatures, update them every five minutes, and support the Wildfire XMLAPIs. They do not support any phishing verdict. But you can have a private cloud and a public cloud, and it’s called a hybrid cloud. Example: in the private cloud, you can send sensitive data only, while in the public cloud, we send portable executables and APK files because they are not sensitive. Wildfire appliance cluster: you can configure and manage up to 20 wildfire appliances as a wildfire appliance cluster on a single network. Wildfire appliance clusters are especially useful in environments where you cannot use the wildfire. Public cloud clusters also provide fault tolerance and a single signature package that is distributed to all firewalls connected to the cluster.
2. 8.2 Configuring and managing WildFire
In this video, we are covering PCNA from one to ten, and this is our chapter eight, “Wildfire or “Virus Analysis.” Now this is the second video of chapter eight, which is 8.2: Configuring and Managing Wildfire. Now to configure Wildfire settings, you need to navigate to Device and then set it up. And then we have a Wildfire tab here, and then we have a General Settings section where we have a configuration for the public cloud location for the private cloud, and proxy settings are not set. And then we have file size limits.
These are the maximum firewalls to Wildfire’s transmission size. If the file size is less than configured maximum then these files that will be sent to the Wildfire for analysis, if they are more than the file size configured here then they’re not going Tobe sent to the firewall to the Wildfire analysis. But we can edit this. I will leave them as they are, and then we will have a report for the benign and gray ware files. If we want to edit any of these or change them, we need to click on this gear icon here, and once we click, we are able to edit it. We can edit the Public Cloud and Private Cloud locations as well as the file sizes, and you can also report Benign Gray files if you want them to appear on the submission log.
Now, submission settings So if you want to navigate to submission settings, which is pretty much the same place as device setup, and then Wildfire, And if you scroll down, you’ll see the session information settings. As you can see, all of the items going to be reported to the wildfire are ticked by default, and some people are sensitive. They don’t want to send maybe source, IP address, source port number, any of these you don’t want to send, you just need to untick them or get rid of them. If you want to edit these, you need to press this gear icon again here. So once we’ve pressed, we can edit these. Now the Wildfire Analysis Profile will represent additional security checks to be performed on files and allowed network traffic. As the network traffic comes into our firewall, the firewall will check the security policy rule. If the security policy rule says it’s a block traffic then no security profile is going to beaded to that because traffic is blocked.
If the traffic is allowed, then we can add another security profile as well as a wildfire analysis profile. Anything that has been submitted to the Wildfire we’ll see it under monitor logs and Wildfire submission which we’re going to see it later on in the lessons when we do the lab on this. Now, like other security profiles, the Wildfire analysis security profile has a predefined read-only default security profile. Now this one you can’t change it, you can’t edit it or delete it. If you want to change it, edit it, or anything like that, then you just need to clone it, and you can edit the clone. If this default security profile is used or attached to a security policy rule, then all unknown files from any application allowed by the rule will be forwarded to the Wildfire Public Cloud for analysis. You can edit the default one and make the changes as you wish. So, for example, here is exactly what I did.
Or I created my own Wildfire Analysis Profile and I selected what file types I want to send and I selected what file types and what direction I want to send them to either Public Cloud or Private Cloud. For sensitive data, we will send it to a private cloud. Now, once we configure that security profile, we have to go and attach it to the security policy rule, which we did many times. You need to go to Policies Security and then find the rule. And then under the action, you go to profile settings and attach the wildfire analysis profile that you just created there. And then obviously we’re going to clicklock, commit it to take effect. Wildfire is on the update schedule now. Schedule? The poll period for Wildfire antivirus updates requires a Wildfire license. We can schedule the poll for every minute, for example, every 15 minutes, every30 minutes, every hour on none. And then we can choose what we want to do with anything. Without the license, Wildfire antivirus signatures are still added to the daily antivirus content package.
3. 8.3 Wildfire reporting
In this video, we are covering PCNSA 210, which is our Chapter Eight Wildfire Virus Analysis. Now this is the third video of chapter eight, which is 8.3 wildfire reporting. Now. Wildfire reporting. So every time we send any files or URLs to be analyzed by Wildfire Cloud, the technology will analyses them and report their findings to the firewall wall. And we can also configure both the types of information that we send to the wildfire and how much of that information is returned back to our firewall.
And then information reported back to the firewall will be located under the logs and Wildfire submissions. If you want to see if it’s actually reported correctly, we will use the command “Debug Wildfire.” So the command is up there, highlighted debug wildfire upload log show. And then it will show you whether you have correctly submitted a file to be analyzed. And then we see it back under the monitor log. Wildfire Submission. So we have logs and wildfire submissions, and we should see them if we want to find more information. For example, if you want to see the detailed information about that report, we’ll click on this magnifying glass, and that will open in more detail, as well as the verdict in there.
So we can see that the verdict, for example, is malware. We can download the sample file. If it’s malware, you’re going to be downloaded into malware. So be careful what you’re downloading there. But you can see that this file has been portable. The executable file verdict has gotten smart. You can also download a PDF version of the report. For example, say that you think, “Okay, well, that report or that verdict is wrong,” and then you want to go and change it. You can suggest a new verdict. So you just open that same window where you were before. It just scrolls down at the end. Towards the end here, you will scroll down and you will see “Report an incorrect verdict,” and you can suggest a verdict, for example, “gray ware” or “benign.” Wildfire Portal for results of the detailed analysis of the submitted files are available through Wildfire Portal. To access the Wildfire portal, we can go to https://wildfire.paloaltonetworks.com to display the entire list of submitted files, click the report button at the top of the Wildfire portal to display the analysis report for the individual file, and click the detailed icon to the left of the file name.
4. 8.4 Lab Wildfire
In this video, we are covering PCNSA 210, and this is our Chapter Eight, Wildfire Virus Analysis. Now this is the fourth video of chapter eight, which is 8.4 Lab Wildfire. Now like with every other lab, everything that we learn in this chapter, we’re going to try and implement it in our lab.
It’s not a big lab here; there are just a few things to do, but it’s still very interesting stuff. So the first thing is that we’re going to configure the Wildfire settings. Well, we’re not going to change anything. I’m just going to show you where to go and find it if you need to change it. And we’re going to configure and test a Wildfire analysis security profile. And here I’m going to have to pause the video a few times because updates are not going to appear right away. We need to wait maybe five or ten minutes to see any submissions.
And then we’re going to look at the Wildfire update schedule. Now this is a lab typology that we’ll be using to demonstrate wildfire for you. And all I need is a PC in the inside zone that’s going to go to the Internet and simulate a zero-day attack, and we’re going to see a Web fire submission. So I’m going to go to my firewall, and the first thing we’re going to do is look at the Wildfire settings. To find them, you need to go to Device, then Setup, and then we have a Wildfire tab. And these are the general settings. These are now predefined settings. If you want to change them, you need to click on this gear icon, and we can change the public cloud to the regional cloud, as we learned in one of the lessons. We can change it to our private cloud as well.
Or we can use both as a hybrid, private and public. And the file size limits—these are the file sizes—should not be exceeded anymore. So the firewall can upload them to the Wildfire, and you can change them. But the default okay, benign and gray where files, what to do? Are they going to appear in the submission log or not? Anyway, I’m not going to change anything; I’m just going to leave it as is. And then further down, we have session information settings. So these are the information they’re going to be sent to the Wildfire. And for example, if people are sensitive or maybe want to send some information, you can untick them by default. You can see that everything has been checked, and maybe I don’t want to send a user ID.
Just untick that. Maybe I don’t want to send the email subject. Untick that. Anything that you don’t want to send can just be unticked. I’m going to leave it. The default is fine. Is it training firewall anyway? So to configure and test the Wildfire analysis profile, the next step is, like every other security profile, to navigate to objects and then security profiles. And then we have a wildfire analysis. Now, as you can see by default, like other security profiles, they have a default predefined security profile and Wildfire has it as well. You can use it, but you can’t delete it or modify it. If you want to delete it or if you want to modify it, you can clone it first, and then you can modify the clone. But if I open this predefined default one, you can see that it’s read-only, and anything will be sent to the public cloud. Okay, so I’m going to create my own Wildfire analysis and security profile, and I’m going to call it Astrid WF. So Wildfire profile, and I’m going to leave a description field empty. I’m going to click Add, and then on the name, I’m just going to put PE for portable executable application. I can put any or I can add on some application I want to use, but I can just hit any file type. I want to use portable executables only.
And you can see all the file types that we could use. So I’m just using PE, and the direction could be upload, download, or both. I’m going to use both to upload and download. And we can have a public or private one. So we don’t have it. You saw it on the list. I don’t have anything under “private,” so I’m going to leave it to “public only” and click, “Okay, now this security profile, we need to attach it to the security policy rule.” So for that, I need to go to policies and then security. And then the rule is from inside the zone to outside. So in to out. And under the action, I need to change my profile settings. I’m going to add it to profile Wildfire analysis, and I’ll put the profile I just created and click, “Okay,” so now this is configured and we’re going to commit it. Okay, now that the commit has completed successfully, I can close this. And to actually create that or simulate a zero-day attack, I need to go to my inside machine, open an incognito browser, and navigate to one of the Palo Alto networks. Sites will simulate this zero-day attack. And that’s in http wildfire Palo Alto networks.com and publicapiteest P. Okay, so I don’t need to click it, but that’s my zero-day attack. And that should have generated a Wildfire submission.
Now to verify that, I can open a terminal emulator like Putty and access my firewall, and the IP address of my firewall is 192-168-1254 and this SSH open. I’m going to log in as admin. And then to see if there is anything being uploaded to the Wildfire or submitted to the Wildfire for analysis, I’ll use a command, for example, called Debug Wildfire, and then upload log show. And as you can see, we have a file that indicates a PE file has been uploaded. We have had success. And I must have because I’ve uploaded other files as well. I can see them here as well. I did the practice earlier, so I uploaded them a few times. Okay, so we need to go back to the monitor to see it, and that will be under the logs and Wildfire submissions. And there we go. So we can see the Wildfire submission, and we can see the inside zone from the outside source address to this destination address. And further down, we should see the verdict: malicious.
If you want to see in more detail, for example, this file, we need to click on the magnifying glass, and it will open the Wildfire analysis report in more detail. And we can see here that the verdict on the file is malware. And the sample file, we can download the file here as well if you want to, but it’s still a virus. And if we’re not happy with this, we can go towards the end and we can say report incorrect verdict. And I click in here and this will open the page where I can suggest different verdict. The next thing we’re going to do is look at the Wildfire license that we have and then look at the schedule update schedule. So to look at the license, we need to go to the device, and towards the end, we have licenses, and our Wildfire license is up to 2021. Wildfire signature feeds, integrated wildfire logs, and wildfire APIs If we want to change the schedule update for the Wildfire, we need to go to Device and then dynamic updates. And again, towards the end, we have a wildfire, and we can see that with the schedule. We can schedule to update it. For example, every minute, check every 15 minutes, every hour, and so on. And then what to do with the download? We can do nothing. Download only, then download and install. Okay, yeah.