Information Security Office (ISO) create a number of security profiles that individual departments can use in their own environment. In order to understand the settings associated with these profiles and to evaluate them for local use, it is best to review the profiles is by looking at the settings themselves. Below are the steps that would be necessary to examine the settings of a WildFire Analysis profiles.
- While logged into https://panorama.net.berkeley.edu, chose “Objects” from the tabs at the top of the window
- Under “Security Profiles” in the left pane choose “WildFire Analysis”
- Unlike most other Security Profiles, there are just one WildFire Analysis profiles that were developed by ISO, ucbsec-wildfire_cloud.
- The settings for the ucbsec-wildfire_cloud profile are to send the file types listed in the “File Types” column to Palo Alto's Gov Cloud WildFire without regard to the application the files were sent on and the direction they were sent. Like firewall rules, the rules in a Wildfire Analysis Profile are read top to bottom so the first rule that matches the file type (along with any other criteria) would be the one used.
If someone wanted to write a custom WildFire Analysis profile, it is possible to designate the application the transfer used (based upon the Palo Alto detected AppID) or the direction of the file (upload or download) as part of the match behavior.- For example, if a researcher regularly downloaded malicious files from a git repository, then it would be possible to create a rule to ignore traffic of that type. And then a second rule that still performs the WildFire analysis for any file types seen in another way. In this scenario, it would be best to create a unique WildFire profile and apply it to a rule just for that traffic.
- Once the Wildfire Analysis profile is understood, it is possible to exit these screens by clicking the “Cancel” button.
More information about Wildfire Analysis profiles can be found at:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-wildfire-analysis