Friday, May 26, 2017

Configuring Antivirus Blocking on a Palo Alto Networks Firewall

WildFire Overview

WildFire is a cloud-based malware analysis environment that provides granular and coordinated threat analysis for all traffic and attack vectors across thousands of applications, including web traffic, email protocols (i.e, SMTP, IMAP, and POP), and FTP, regardless of location in the organization, ports, or deception techniques, such as hiding behind encryption (SSL). WildFire automatically creates protection against new threats and delivers them to all subscribers in as few as 5 minutes.

WildFire is a sandbox analysis service that examines files for zero-day malware. A firewall administrator can submit copies of files transferred through the firewall to WidlFire for analysis. Typically, within 5 minutes WildFire will process the file and provide a malware verdict plus a detailed analysis report. This service is available to all firewall owners for free with a license available for advanced features.

WildFire is implemented in a Palo Alto Networks managed public cloud or a WF-500 appliance installed on a user's network. WildFire malware findings result in a new detection signature being created and added to the worldwide Antivirus Update for all firewalls within 24 to 48 hours. WildFire license holders can receive these new signatures in as few as 15 to 30 minutes.

A detailed description of WildFire can be found on this link.



To configure Antivirus blocking on the PAN firewall (I didn't have any updated Threat Prevention or  WildFire licenses installed), go to Objects > Security Profiles > Antivirus.



There’s already an Antivirus profile created called default with Application Decoders such as http, smtp, etc. using the default Action of block.
 



Clone the default Antivirus profile by selecting default > Clone > re-name default-1 (AV-PROF) > leave other fields in default > click OK.
 



Apply the Antivirus Profile on the Outbound Security rule 2 (USER-INTERNET-ACCESS) under Policies > Security.
 


Go under Actions tab > Profile Setting > choose the newly created Antivirus Profile (AV-PROF) > click OK > the click Commit to apply the changes.
 


To test if the PAN firewall Antivirus profile is working, go to the website www.eicar.org > click DOWNLOAD ANTI MALWARE TESTFILE
 


Click DOWNLOAD on the left-hand corder > click on eicar.com and eicar.com.txt  under Download area using the standard protocol http.
 


You'll receive a web page error displaying the Virus Download Blocked.




You can verify the Antivirus blocking logs on the PAN firewall under Monitor > Logs > Threat.
 


Choose a specific Threat log and click on the magnifying glass icon to view more details.
 


No comments:

Post a Comment