WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends the threat prevention capabilities of the next-generation firewall to tackle some of the most challenging threats in the world today, and does so with full visibility and enforcement at up to 10Gbps.

The modern threat landscape has fundamentally evolved, and cyber-security teams face threats on a daily basis that rely on stealth, persistence and the skilled avoidance of traditional security measures. Such a fundamental shift in one’s adversary demands more than an incremental response, and modern security teams are re-evaluating some of their most basic security assumptions concerning how they look at network traffic, how threats are identified, and ultimately how they are blocked. Palo Alto Networks® prepares cyber-security teams for this challenge by offering a new approach based on simple but powerful concepts:

• Allnetworktrafficmustbefullyinspected.

• Anyunknownsmustbeactivelyandconclusivelyinvestigatedatscale.

• Threatsneedtobeblocked,notjustdetected.

ThesecoreprinciplesarethefoundationofPaloAltoNetworksWildFiresolution,inwhichfullvisibility,scalableanalysis,andautomatedprotectionallworktogethertosecurethenetworkanditsdata.Onlythenext-generationfirewallprovidesfull-stackanalysisandenforcementofallnetworktrafficregardlessofevasionandencryption,ensuringthathiddenoranomalousthreatsareexposed.WildFirethenproactivelyrunsanyunknownfilesinasafe,scalablesandboxenvironmentwheremalwareisconclusivelyidentifiedandnewprotectionsareautomaticallydeveloped.Theresult isacompletelyunique,closedloopapproachtocontrollingcyberthreatsbasedonnext-generationvisibility,cloud-basedmalwaresandboxing,andreliablein-lineblockingofthreats.

WildFire Overview

Atitscore,WildFiredetectsandblockstargeted,polymorphic,orotherwiseunknownmalware.Todoso,WildFiremarriestheuniquevisibilityandcontrolofthenext-generationfirewallwithacloud-basedenvironmentwheremalwareissafelyanalyzedatscale.Byproactivelyexecutingunknownfilesinavirtualenvironment,WildFireuncoversmalwarebasedonitsrealbehavior,ensuringmalwareisdetectedevenifitgetspasttraditionalsignatures.

Thisstyleofsandboxanalysisiscomputationallyintensebynature,andasaresult,WildFireisdesignedonacloud-basedarchitecturethatensuresseamlessscalability.TheWildFirepubliccloudenablesanyPaloAltoNetworkscustomertoperformtrue malwaresandboxingofunknownfileswithouttheneedforanyadditionalhardware.However,ahardware-enabledprivatecloudoptionisavailabletoextendtheWildFirearchitecture to customers who cannot use public cloud resources due to regulatory orprivacyrequirements.

WildFire™

P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t

• Proactively executes suspicious files in a safe environment to identify malware based on more than 100 malicious behaviors.

• Combines the visibility of the next-generation firewall with cloud-based analysis to ensure accurate, safe and scalable malware analysis.

• True in-line blocking of malware infecting files and command-and=control traffic at the firewall.

P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t

Whenathreatisdetected,WildFireautomaticallyfeedsinformationandprotectionsbacktoWildFiresubscribers.Withininminutes,subscribersreceivefirewalllogswithaverdictoftheanalysisincludingeventcontext.Moreimportantly,WildFiregeneratestruemalwareprotectionsforthenewlydiscoveredmalware,and sharesthoseprotectionswithallWildFiresubscribersworld-wide within30to60minutesoftheinitialdetection.Theseprotectionsnotonlystoprapidlyspreadingmalware,butalsotrackuniqueidentifiersinthemalwarebodytoproactivelyfindandblockmalwarevariants.Additionally,WildFireanalysisisusedtoupdateDNS-basedmalwaresignatures,updateURLcategoriesontheflyandtogeneratenewcommand-and-controlsignatures,allof which can be used to identify and disrupt the all-important malwarecommand-and-controltraffic.

How WildFire Works

Visibility Into All Traffic

Advancedpersistentthreats(APTs)thriveontheirabilitytohide fromsecuritysolutions.Thisistruenotjustofnewmalware,butofalltrafficusedintheattack.Asaresult,thequalityofacybersecurity solution is only as good as its ability to look into alltraffic,andthisispreciselywhythenext-generationfirewallisaprerequisiteforcontrollingtheseadvancedattacks.AswithallPaloAltoNetworksanalysis,WildFirebenefitsfromthefull-stackanalysisofalltraffic,acrossallportsandtheabilitytotightlycontrolavarietyofmethodsthatattackersusetohide.

P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t

• Abandoning Port-Based Assumptions:Foralloftheadvance-mentsinITsecurity,virtuallyallsecurityproductsfallbackonoutdatedassumptionsbasedonport.Trafficisallowedorblockedbasedonport,signaturesareappliedbasedonport,and additional decoders and analysis are applied based on theport.PaloAltoNetworksforgoestheseassumptionsandperformsafull-stackidentificationanddecodeofalltrafficacrossallports.Thiscontextisconstantlymonitoredandupdatedtoreflectanychangesintheapplicationorprotocol. Thisprocessremainsfundamentallyuniqueinnetworksecurityandensuresattackerscan’thidebyroutingtrafficinnon-standardwaysortunnelingwithinotherapprovedtraffic.

• Visibility Into SSL Encrypted Traffic: As more applications movetotheweb,SSLhasbecomeanincreasinglycommonfactoflife.AndwhileSSLprovidesimprovedsessionsecurity,italsohastheeffectofpotentiallycreatinganopaquevectorwherethreatscanflowwithoutthepryingeyesofsecurity.PaloAltoNetworksofferson-boxSSLdecryptionthatcanbeselectivelyappliedbasedonpolicy.Decryptonlythetrafficthatinterestsyou,andsetpoliciestoensuretrafficisneverdecryptedtosensitivesitessuchashealthcareorbankingsites.

• Visibility Into Unknown Traffic: Bypositivelyclassifyingalltraffic,PaloAltoNetworkscanfurtherrevealthepresenceof anyunknownorcustomtraffic.Suchcustomtrafficisstronglycorrelatedwithmalwareandadvancedthreats,andsimplenext-generationfirewallpoliciesallowyoutoseethistrafficandautomaticallyenforcepolicyonit.

PAGE 2

Adds to threat signature research database

Exfiltration of sensitive data

Commandand control

Downloadof additional

malware

=

REPORT & ENFORCE POLICY

FILE TRANSFER DECODERS

PATTERN DB

SINGLE PASS PATTERN MATCH

DATA

WildFire CloudObserves and detects 100+

malicious behaviors to identify malware(available as a public or private cloud)

WildFire provides a logical combination of next-generation firewall hardware and scalable cloud-based malware analysis.

PAGE 3

Conclusive Behavior-Based Analysis

Whenanunknownfileisseenbythefirewall,thefileistransferredtotheWildFirevirtualizedenvironment,whereitisexecutedandallbehaviorsandcommunicationsareobserved.WildFiremonitorsformorethan100maliciousbehaviorstoidentifythetruenatureofmaliciousfilesbasedontheiractionsincluding:

• Changes Made to the Host:WildFireobservesallprocessandhookingbehaviors,changesmadetoregistries,auto-runmodi-fications,changestosecuritysettingsandanyfilesthatarecreatedormodified.AllchangesaredocumentedinWildFirereports.

• Malicious Traffic and Hacking:WildFirelooksforsuspiciousormaliciousnetworkbehaviorssuchasestablishingbackdoors,downloadingadditionalexecutables,visitingdynamicDNSdomains,scanningforvulnerabilitiesandmuchmore.

• Security Avoidance Behaviors: WildFirealsoconstantlylooksformalwaretechniquesusedtoavoidanalysissuchasattemptingtoavoidexecutingwhilebeingmonitored,injectinginto running or trusted processes and disabling host-based securityfeatures.

Using the Power of Cloud-Computing for Malware Analysis

Virtualizedmalwareanalysisrequiresmassiveamountsofcomputingresources,becausethesolutionmustprovideafullyindependentvirtualenvironmenttoanalyzeeveryunknownor suspiciousfile.Thismeansthatcomputingrequirementscanswingwildlydependingontheamountandtypeoftraffichittingthe network.Thishasthepotentialtorequireagreatdealofhardwareforanalysis,andevenworsetocreatebottlenecksthatlimittheanalysisofmalware.Tosolvethisproblem,WildFireleveragesa cloud-based architecture that allows computing resources to scaleelasticallybasedonneed.

• Shared Protections: Inadditiontoimprovedscalability,the WildFirecloudensuresthatuserscanbenefitfromtheanalysisofallotherWildFireusers.Malwareidentifiedinonelocation,generatesprotectionsthatapplytoallusersworldwide.This appliesnotonlytomalwaresamples,butalsodangerousURLs, andDNSqueriesfrommalwareaswell.

• Public Cloud: Bydefault,WildFireleveragesapubliccloudenvironmentmanageddirectlybyPaloAltoNetworks.AllfilesaresecurelytransferredbetweenthefirewallandtheWildFireoverencryptedconnections,signedonbothsidesbyPaloAltoNetworks.Anyfilesthatarefoundtobebenignaredestroyed,whilemalwarefilesaresavedforfurtheranalysis.

• Private Cloud:Forcustomerswhodonotusecloud-basedsolutionsduetoregulatoryorprivacyconcerns,PaloAltoNetworksoffersaprivatecloudoptionforWildFire.Thisprivate cloudisenabledbytheWF-500WildFireAppliance,andallows customerstorunafullyfunctioningversionoftheWildFireenvironmentthatremainswithinthecustomer’snetwork.

Automated Prevention

Onceafileisdeterminedtobemalicious,WildFireautomaticallydevelopsprotectionsforthenewthreatandgeneratesintegratedandcorrelatedlogsforsecuritystaff.WithinminutesofsubmittingafiletoWildFire,subscribersreceiveanintegratedlogwiththeverdictofthemalwareanalysis,whichiscorrelatedwithanyotherrelevantlogsinthePaloAltoNetworksuserinterface.Additionally,allWildFireuserscanreceivenotificationsviaemailbasedonpolicy.

TheWildFirepubliccloudalsodevelopsarangeofprotectionsforallnewlydiscoveredmalware(customersusingaprivateclouddeploymenthavetheoptiontosubmitconfirmedmalwaretothe publiccloudinordertogenerateprotections).WildFireauto-maticallydevelops,testsanddeliversnewmalwaresignatureswithin30to60minutestoallWildFiresubscribers,worldwide.Inadditiontomalwaresignatures,WildFiredataisusedtoupdateDNS-basedsignatures,URLcategoriesandcommand-and-controlsignaturesaswell.

• Malware Signatures:ThesesignaturesarebasedonuniqueidentifiersinthemalwarepayloadthatallowasingleWildFiresignaturetoblockmultiplepolymorphicvariants.ThesesignaturesaredeliveredtoWildFiresubscriberswithin30to60minutesoftheinitialsubmissionofthefile.

• DNS Signatures: WildFirerecordsallDNSqueriesandmaintainsa database and signature list of DNS requests that are unique tobotnetsandmalwareoperations.

• Command-and-Control Signatures: Palo Alto Networks researchersmaintainfullcoverageforallcommand-and-controltrafficobservedinWildFire.Thesesignaturesprovideakeymethod for identifying and controlling any malware infections alreadyinthenetwork.

• URL Categories:WildFiremonitorsanyURLsanddomainsthatmalwarecommunicateswith.WildFirethenprovidesupdatesonanynewlydiscoveredmaliciousdomainstoPAN-DB,PaloAltoNetworksinternallydevelopedURLfilteringdatabase.

P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t

P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t

Malware Forensics and Event Analysis

Integrated Logging and Reporting

WildFiresubscribersreceiveintegratedWildFirelogsontheir firewalls,enablingteamstocorrelateWildFireeventswithotherimportanteventsobservedbythefirewall.Thisensuresthatstaffcanquicklyandseamlesslytieapplications,URLs,files,known threats and unknown threats into a coordinated approach tothreatprevention.Additionally,PaloAltoNetworksprovidespre-builtreportsforWildFireeventstoprovideongoingdocumentationofemergingthreats.

WildFire Portal

Whendealingwithnewandemergingthreats,it’simportantthatsecurityteamsbeabletoquicklyandeasilyinvestigatemalwareinordertocorrelateaninfectionwithothersecurityeventsorsimplytoaidinthecleanupinthecaseofaninfection.

TheWildFirePortalprovidesdetailedanalysisandforensicsforeveryfileanalyzedbyWildFire.Staffcantracktheoverallratesofmalwaredetected,andcandrilldownintodetailedanalysisonanygivenfile.Staffcaneasilyseetheverdictofafile,theapplication,IPaddressand/orURLthatdeliveredthefileaswellastheuserthatwastargeted.

Theanalysisthenprovidesgranulardetailsofthemalwareincludingallobservedmaliciousbehaviors,alistofanyandalldomainsthemalwarevisited,registrykeysaddedormodifiedaswellasanyfilescreatedormodified.Thisanalysisprovidesthecontexttoknowexactlyhowthemalwareattemptedtoenterthenetwork,howittriestocommunicatebackoutofthenetworkandactionsitperformedonthetargethost.Thisinformationcanprovideteamswithdetailstoestablishhost-basedindicatorsforinfectedmachines,aswellasprovidingthereal-world data needed to adapt security policies to changing attackstrategies.Thisdataalsohelpssecurityteamstoteachandtrainnetworkusersbyshowingthenames,locationsandapplicationsthathavebeenusedagainsttheminphishingorsocialengineeringattempts.

PAGE 4

Integrated WildFire Logs

P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t

Maintaining the Privacy of Your Files

Aswithanyuseofthecloud,anenterprisemustensurethat thecloudisusedsafelyandwithoutexposingenterprisedata. WildFireisnoexception,andprovidescustomerswithfull controloverwhatdataissharedwithWildFireandtheadditionalprotection of multiple layers of professionally managed security toensuredataisneverexposed.PaloAltoNetworksalsoofferstheWF-500applianceforcustomerswhoprefertodeployWildFireasaprivatecloud.

Whetherdeployedasaprivateorpubliccloud,securityteamsalwaysretainfullcontroloverexactlywhichfilesshouldbesenttotheWildFirecloud.TeamsmaywanttoanalyzeallunknownfilesorsimplythosefilescomingfromtheInternetorotheruntrustedzones.Inadditiontocontroloverwhichfilesaresentforanalysis,policiescanbesettocontrolwhatrelevantsessioninformationshouldbeincludedwiththesampleforanalysis.Sessioninformationreferstothecontextofthe

networksessionresponsiblefordeliveringtheunknownfile suchastheapplication,targetuser,portnumber,sourceIPaddress,userandhostname,aswellastheattackingIPorURL.Thisdataisoftenparticularlyusefulforcorrelationpurposesifafileisfoundtobemalicious,butisnotrequired forWildFiretodeterminethestatusofthefile.

Whenafileissentforanalysis,thefirewallestablishesasecureconnectionbetweenthelocalfirewallandPaloAltoNetworksWildFirecloudorlocalWF-500appliance.ThisconnectionissecuredonbothendsbyclientcertificatessignedbyPaloAltoNetworks ensuring that data remains secure in transit and preventingthepossibilityofaman-in-the-middleattack.OncedeliveredtotheWildFirecloud,thefileisprotectedbehindmultiplelayersofprofessionallymanagedsecurity.FilesareonlyallowedinboundtotheWildFirecloudtoensurethatbenignfilesneverleavetheWildFireenvironment.Followinganalysis,benignfilesaredestroyedandonlythehashvalueretainedinordertopreventfuturere-analysis.

PAGE 5

Analysis From the WildFire Portal

PAGE 6

3300 Olcott Street Santa Clara, CA 95054

Main: +1.408.573.4000Sales: +1.866.320.4788 Support: +1.866.898.9087

www.paloaltonetworks.com

Copyright ©2013, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_DS_WF_051313

WildFire Requirements:

PAN-OSversion5.0orhigher.

Licensing Information:

BasicWildFirefunctionalityisavailabletoallPaloAltoNetworks customersatnocharge.TheseuserscanautomaticallysubmitsuspiciousfilestoWildFireandprotectionsaredeliveredwithregularthreatpreventioncontentupdates(threatpreventionlicenseisrequired).AnadditionalWildFirelicenseprovidesWildFiresignaturesevery30minutesforallnewmalwaredetectedanywhereintheworld,integratedlogging/reporting;accessto WildFireAPIforprogrammaticsubmissionofupto100samplesperdayandupto1,000reportqueriesbyfilehashperday.

WF-500

TheWF-500isanoptionalhardwareappliancetosupportcustomerswhochoosetodeployWildFireasaprivatecloud.TheWF-500isnotrequiredasWildFiredeploymentswillusePaloAltoNetworkssecurepubliccloudbydefault.

PROCESSOR

•Dual6-CoreIntelProcessorwithHyper-Threading

MEMORY

•128GBRAM

SYSTEM DISK

•120GBSSD

STORAGE

•2TBRAID1:4x1TBRAIDCertifiedHDDfor2TBofRAIDStorage

I/O

•4x10/100/1000,DB9Consoleserialport,USB

RACK MOUNTABLE

•2U

POWER SUPPLY

•Dual920Wpowersuppliesinhotswap,redundantconfiguration

MAXIMUM POWER CONSUMPTION

•510Watts

MAXIMUM BTU/HR

•1740

INPUT VOLTAGE

•100-240VAC

MAXIMUM CURRENT CONSUMPTION

•11Amps@100VAC

OPERATING TEMPERATURE

•32to95F,0to35C

NON-OPERATING TEMPERATURE

•-4to158F,-20to70C

SAFETY

•UL/CSA,CB

EMI

•FCCClassA,VCCIClassA,CEClassA

P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t