Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

WildFire Appliance (WF-500)

advertisement 
WildFire Appliance (WF-500)
WildFire Appliance – WF-500
• Single-mode WildFire appliance
-
Provides similar functionality as the public-cloud WildFire
• Sandboxed Malware Analysis
-
Accepts samples from firewalls and generate malware / benign verdict
• Transparent configuration from Firewall perspective
-
The firewall can be configured to use public-cloud or WildFire appliance
-
The firewall can connect to only one WildFire (public-cloud or WildFire
appliance)
• Option to connect the WildFire appliance to the public-cloud
-
2
Can submit found malware files to the public-cloud WildFire
PROPRIETARY AND CONFIDENTIAL
Wildfire public cloud
3
PROPRIETARY AND CONFIDENTIAL
Wildfire with WF-500
Confirmed
Malware
(optional)
WildFire Cloud
Signatures
Local Customer Network
All unknown files
Log link to analysis
sent to PA to be
added to the
wildfire log
4
PROPRIETARY AND CONFIDENTIAL
Customer
Firewalls
Wildfire private cloud
WildFire
license
required
5
PROPRIETARY AND CONFIDENTIAL
https://wildfire.paloaltonetworks.com
Overview of all connected firewalls in account and their reports
Files can be uploaded manually or through API
6
PROPRIETARY AND CONFIDENTIAL
reports
Identical on wildfire portal
and WF-500
Detailed summary of
behavior seen on the vm,
registry entries modified,
files and processes
touched or created
Link to virustotal analysis
of executable by 43 AV
vendors
7
PROPRIETARY AND CONFIDENTIAL
Design options
WildFire Cloud
8
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500
• Dual 6-core CPU, 12 physical cores (total 24 logical cores w/ HT)
• 128 GB RAM
• 2 x 2 HDD RAID1 in 5.1
• 18 VMs in 5.1 running WindowsXP
• Only PE files suported (.cpl, .exe, .dll, .ocx,.sys, .scr, .drv)
• API not supported yet
• CLI only
• No HA
9
PROPRIETARY AND CONFIDENTIAL
insides
• over 100 suspicious behaviors are analyzed
10
-
Create files or executables in the windows/user folder
-
Spawn new processes
-
Disable/change windows firewall
-
Modify registry
-
Change proxy/dns settings
-
Change browser security settings
-
Inject code in other process
-
Attempt sleep (to avoid sandbox detection)
-
Delete/move itself
-
…
PROPRIETARY AND CONFIDENTIAL
results
If an executable is found to be malicious multiple actions will be
taken
• Wildfire signature created to identify the malware
• URL traffic from the malware added to PANdb URL filtering
• DNS signatures recorded for DNS sinkhole project
• Anti C&C signatures
11
PROPRIETARY AND CONFIDENTIAL
Performance sizing
• Sized for our largest customers with a small amount of devices
reporting to the WF-500
• Can analyze about 4500 unique samples per day
• Only unknown samples analyzed in VM
12
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500
Front
Back
13
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500
• Licensing:
-
Only Support License on WildFire Appliance (WF-500)
-
WildFire Subscription License on Firewalls

14
Without WildFire Subscription License the firewall can submit samples, but cannot get updates and
see logs
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500
• Pipeline model using queues:
15
-
Stage 1: Accept files from firewall
-
Stage 2: Download
-
Stage 3: Analyze
-
Stage 4: Notify
-
Stage 5: Upload (if auto-submit is enabled)
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500
• Storage
-
2 x 2TB in RAID1
-
200 GB reserved for DB (MySQL)
-
Recovery from DB Corruption
-
-

script checks DB connectivity, will try restarting 3 times before entering maintenance mode

DB can be wiped to default from maintenance mode
Two partitions on each RAID

first: 30% DB, 70% PCAPs/samples

second: 30% VM, 70% PCAPs/samples
File purging:

16
When less than 100GB PCAPs/samples partition space
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Configuration
• Configure wildfire / eth0:
# set deviceconfig system ...
ip-address
netmask
default-gateway
update-server
dns-setting
• eth0 is used for:
- Management
- Firewall connection to the WildFire appliance
- WildFire appliance connection to the public cloud
17
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Configuration
• Configure VM interface / eth1 (optional):
# set deviceconfig system vm-interface ...
ip-address
netmask
default-gateway
link-state <up|down>
dns-server
• eth1 is used for:
- VM analyzer connections to internet
Dummy DNS and HTTP if eth1 is not configured
18
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Configuration
• Configure public cloud-server:
# set deviceconfig setting wildfire cloud-server <server>

To change to a different fqdn or a centralized WF-500, future expansion
• Automatically submit malware to public-cloud:
# set deviceconfig setting wildfire auto-submit <yes|no>
• Enable VM network:
# set deviceconfig setting wildfire vm-network-enable <yes|no>
• Set portal admin password:
> set wildfire portal-admin password
19
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Configuration
• Firewall configuration:
-
Configure WildFire server:
# set deviceconfig setting wildfire ...
20
cloud-server <wildfire>
(delete this for public-cloud)
report-benign-file <yes|no>
(optional: default is 'no')
-
Configure File Blocking profile with 'forward' or 'continue-and-forward'
-
Configure File Blocking profile in Security Policy
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
Health check - Resources (CPU, memory):
> show system resources
top - 13:50:33 up 13 days, 4:20, 3 users, load average: 0.00, 0.00, 0.00
Tasks: 491 total,
1 running, 490 sleeping,
0 stopped,
0 zombie
Cpu(s): 0.1%us, 0.0%sy, 0.0%ni, 99.9%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 132077376k total, 17826828k used, 114250548k free,
150952k buffers
Swap:
7992k total,
0k used,
7992k free, 13293312k cached
PID USER
3626
12068
1
2
3
4
5
6
7
8
9
10
...
21
30
20
20
20
RT
20
RT
20
RT
20
RT
20
PR NI VIRT RES
10 14108 7592 3172
0 2504 1196 724
0 1772 564 492
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
PROPRIETARY AND CONFIDENTIAL
SHR S %CPU %MEM
TIME+ COMMAND
S
2 0.0 10:50.89 python
R
2 0.0
0:00.02 top
S
0 0.0
0:09.15 init
S
0 0.0
0:00.00 kthreadd
S
0 0.0
0:00.00 migration/0
S
0 0.0
0:00.00 ksoftirqd/0
S
0 0.0
0:00.00 migration/1
S
0 0.0
0:00.00 ksoftirqd/1
S
0 0.0
0:00.00 migration/2
S
0 0.0
0:00.00 ksoftirqd/2
S
0 0.0
0:00.00 migration/3
S
0 0.0
0:00.00 ksoftirqd/3
WildFire Appliance – WF-500 - Troubleshooting
Health check - Disk space:
> show system disk-space
Filesystem
/dev/sda3
/dev/sda5
/dev/sda6
tmpfs
/dev/sda8
/dev/md1
/dev/md2
/dev/md3
/dev/md4
/dev/ram0
22
Size
7.6G
23G
16G
63G
56G
276G
642G
276G
642G
61G
PROPRIETARY AND CONFIDENTIAL
Used Avail Use% Mounted on
995M 6.2G 14% /
345M
22G
2% /opt/pancfg
589M
14G
5% /opt/panrepo
0
63G
0% /dev/shm
1.3G
52G
3% /opt/panlogs
1.3G 260G
1% /opt/panlogs/ld1_1
198M 610G
1% /opt/panlogs/ld1_2
11G 251G
4% /opt/vmrepo
198M 610G
1% /opt/panlogs/ld2_2
2.3G
55G
5% /opt/panlogs/vm_img
WildFire Appliance – WF-500 - Troubleshooting
Health check - RAID:
> show system raid detail
Disk Pair A
Status
Disk id A1
model
size
partition_1
partition_2
Disk id A2
model
size
partition_1
partition_2
Disk Pair B
Status
Disk id B1
model
size
partition_1
partition_2
Disk id B2
model
size
partition_1
partition_2
23
Available
clean
Present
:
:
:
:
ST91000640NS
953869 MB
active sync
active sync
Present
:
:
:
:
ST91000640NS
953869 MB
active sync
active sync
Available
clean
Present
:
:
:
:
ST91000640NS
953869 MB
active sync
active sync
Present
:
:
:
:
ST91000640NS
953869 MB
active sync
active sync
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
Check connection to the public cloud:
> show wildfire status
Connection info:
Wildfire cloud: default cloud
Status: Idle
Auto-Submit: enabled
VM internet connection: enabled
Best server: ca-s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 10.30.14.41
Signature verification: enable
Server selection: enable
Through a proxy: no
24
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
General WildFire statistics:
> show wildfire statistics {days <1-31>}
Last one hour statistics:
Total sessions submitted
Samples submitted
Samples analyzed
Samples pending
Samples (malicious)
Samples (benign)
Samples (error)
Malware sent to cloud
:
:
:
:
:
:
:
:
2
1
1
0
0
1
0
0
Last 24 hours statistics:
Total sessions submitted
Samples submitted
Samples analyzed
Samples pending
Samples (malicious)
Samples (benign)
Samples (error)
Malware sent to cloud
:
:
:
:
:
:
:
:
2
1
1
0
0
1
0
0
25
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
Firewalls registered with the WildFire device:
> show wildfire last-device-registration all
+--------------+---------------------+--------------+------------+----------+--------+
| Device ID
| Last Registered
| Device IP
| SW Version | HW Model | Status |
+--------------+---------------------+--------------+------------+----------+--------+
| 007201000107 | 2013-03-11 11:57:06 | 172.24.15.37 | 5.0.2
| PA-VM
| OK
|
+--------------+---------------------+--------------+------------+----------+--------+
26
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
> debug wildfire vm all
+-------+------------------------------------------------------------------+---------------------+
| VM ID | Current Job
| Last Updated
|
+-------+------------------------------------------------------------------+---------------------+
|
1 | Idle
| 2013-03-11 14:58:51 |
|
2 | Idle
| 2013-03-11 14:58:53 |
|
3 | Idle
| 2013-03-11 14:58:55 |
|
4 | Idle
| 2013-03-11 14:58:57 |
|
5 | Idle
| 2013-03-11 14:58:59 |
|
6 | Idle
| 2013-03-11 14:58:49 |
|
7 | Idle
| 2013-03-11 14:58:51 |
|
8 | Idle
| 2013-03-11 14:58:53 |
|
9 | Idle
| 2013-03-11 14:58:55 |
|
10 | Idle
| 2013-03-11 14:58:57 |
|
11 | Idle
| 2013-03-11 14:58:59 |
|
12 | Idle
| 2013-03-11 14:58:49 |
|
13 | Idle
| 2013-03-11 14:58:51 |
|
14 | Idle
| 2013-03-11 14:58:53 |
|
15 | Idle
| 2013-03-11 14:58:55 |
|
16 | Idle
| 2013-03-11 14:58:57 |
|
17 | Idle
| 2013-03-11 14:58:59 |
|
18 | 1fc7da0ee224e6d62acb5aa637f696709677c998b2a9cd0a0f50f740c860c91b | 2013-03-11 15:06:22 |
+-------+------------------------------------------------------------------+---------------------+
27
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
Show latest data (analysis, samples, sessions, uploads):
> show wildfire latest <analysis|samples|sessions|uploads>
+
+
+
+
days
limit
sort-by
sort-direction
|
<Enter>
Set how many days to include, default is one
Set number of rows to show, default is 30
Set sort field
Set sort direction
Pipe through a command
Finish input
Show all data for particular sample:
> show wildfire sample-status sha256 equal <file_sha_value>
28
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
> show wildfire latest analysis
Latest analysis information:
+------------------------------------------------------------------+---------------------+---------------------+---------------------+-----------+-----------+
| SHA256
| Submit Time
| Start Time
| Finish Time
| Malicious | Status
|
+------------------------------------------------------------------+---------------------+---------------------+---------------------+-----------+-----------+
| 1fc7da0ee224e6d62acb5aa637f696709677c998b2a9cd0a0f50f740c860c91b | 2013-03-11 15:06:22 | 2013-03-11 15:06:22 | 2013-03-11 15:11:31 | No
| completed |
| 73e32bfe108cc8511454cfe206bb372622d953d66e65f26c7d4224940eaa74ac | 2013-03-11 12:32:17 | 2013-03-11 12:32:17 | 2013-03-11 12:37:19 | No
| completed |
+------------------------------------------------------------------+---------------------+---------------------+---------------------+-----------+-----------+
> show wildfire latest samples
Latest samples information:
+------------------------------------------------------------------+---------------------+-----------+-----------+--------------+-----------+-------------------+
| SHA256
| Create Time
| File Name | File Type | File Size
| Malicious | Status
|
+------------------------------------------------------------------+---------------------+-----------+-----------+--------------+-----------+-------------------+
| 1fc7da0ee224e6d62acb5aa637f696709677c998b2a9cd0a0f50f740c860c91b | 2013-03-11 15:06:22 | test.exe | PE
|
23,308 | No
| analysis complete |
| 73e32bfe108cc8511454cfe206bb372622d953d66e65f26c7d4224940eaa74ac | 2013-03-11 12:32:16 | test.exe | PE
|
23,308 | No
| analysis complete |
+------------------------------------------------------------------+---------------------+-----------+-----------+--------------+-----------+-------------------+
29
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
> show wildfire sample-status sha256 equal 73e32bfe108cc8511454cfe206bb372622d953d66e65f26c7d4224940eaa74ac
Sample information:
+---------------------+-----------+-----------+-----------+-----------+-------------------+
| Create Time
| File Name | File Type | File Size | Malicious | Status
|
+---------------------+-----------+-----------+-----------+-----------+-------------------+
| 2013-03-11 12:32:16 | test.exe | PE
| 23308
| No
| analysis complete |
+---------------------+-----------+-----------+-----------+-----------+-------------------+
Session information:
+---------------------+---------------+----------+----------------+----------+----------+--------------+--------------+-----------+-----------+
| Create Time
| Src IP
| Src Port | Dst IP
| Dst Port | File
| Device ID
| App
| Malicious | Status
|
+---------------------+---------------+----------+----------------+----------+----------+--------------+--------------+-----------+-----------+
| 2013-03-11 12:35:23 | 172.24.12.105 | 80
| 192.168.37.133 | 2460
| test.exe | 007201000107 | web-browsing | No
| completed |
| 2013-03-11 12:32:16 | 172.24.12.105 | 80
| 192.168.37.133 | 2452
| test.exe | 007201000107 | web-browsing | No
| completed |
+---------------------+---------------+----------+----------------+----------+----------+--------------+--------------+-----------+-----------+
Analysis information:
+---------------------+---------------------+---------------------+-----------+-----------+
| Submit Time
| Start Time
| Finish Time
| Malicious | Status
|
+---------------------+---------------------+---------------------+-----------+-----------+
| 2013-03-11 12:32:17 | 2013-03-11 12:32:17 | 2013-03-11 12:37:19 | No
| completed |
+---------------------+---------------------+---------------------+-----------+-----------+
Upload information:
No information available
30
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
Show wf_devsrvr counters:
> show counter device
Name
------------------------------Queue was full
Queue returned empty
Partition checks
Sample batches deleted
Uploads found for retry
Retrying uploads from
Clear wf_devsrvr counters:
> clear counter device
31
PROPRIETARY AND CONFIDENTIAL
Value
------------------0
455133
316
0
0
2013-03-11 13:34:47
WildFire Appliance – WF-500 - Troubleshooting
Queue status:
> debug device dump queue-stats
queue
Queue
Queue
Queue
Queue
32
statistics
[0] name: download, pause: 0 low_watermark: 3500 high_watermark: 3900 count: 0 size: 4000
[1] name: upload, pause: 1 low_watermark: 9000 high_watermark: 9900 count: 0 size: 10000
[2] name: notify, pause: 0 low_watermark: 3500 high_watermark: 3900 count: 0 size: 4000
[3] name: PE, pause: 0 low_watermark: 1500 high_watermark: 1700 count: 0 size: 2000
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
Show All queues (can be lot of data!):
> debug device dump queues
Queue [0] : name: download
# of entries : 0
low_watermark : 3500, high_watermark:
queue is empty
Queue [1] : name: upload
# of entries : 0
low_watermark : 9000, high_watermark:
queue is empty
Queue [2] : name: notify
# of entries : 0
low_watermark : 3500, high_watermark:
queue is empty
Queue [3] : name: PE
# of entries : 0
low_watermark : 1500, high_watermark:
queue is empty
3900pause: 0
9900pause: 1
3900pause: 0
1700pause: 0
Show particular queue:
> debug device dump queue <download|upload|notify|PE>
33
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
Delete all data for particular sample:
> debug delete sample sha256 equal <file_sha_value>
Flush a queue:
> debug device flush queue <download|upload|notify|PE>
Restart service to the public-cloud:
> debug wildfire reset forwarding
34
PROPRIETARY AND CONFIDENTIAL
WildFire Appliance – WF-500 - Troubleshooting
tech-support:
show system raid detail
show counter device
clear counter device
show wildfire statistics
show wildfire statistics days 7
show wildfire last-device-registration all
show wildfire vm all
debug device dump queue-stats
debug device dump queues
show counter device
show
show
show
show
wildfire
wildfire
wildfire
wildfire
latest
latest
latest
latest
samples limit 200 days 7
sessions limit 400 days 7
analysis limit 200 days 7
uploads limit 200 days 7
/var/log/
35
PROPRIETARY AND CONFIDENTIAL
Questions
Related documents
Pennsylvania wildfire PowerPoint
Pennsylvania wildfire PowerPoint
Extreme Weather and Climate Change Vulnerability
Extreme Weather and Climate Change Vulnerability
Fire Types and Fighting Fire
Fire Types and Fighting Fire
Seculert - Security Innovation Network
Seculert - Security Innovation Network
Health Exchange Subsidy Calculator
Health Exchange Subsidy Calculator
DynCorp International
DynCorp International
NtregaBusinessPlanExpress 1.1 MB
NtregaBusinessPlanExpress 1.1 MB
Avoiding Knee Jerk Reactions to Short Term Natural Catastrophes
Avoiding Knee Jerk Reactions to Short Term Natural Catastrophes
The Cast of Characters
The Cast of Characters
Download
advertisement