Palo Alto Networks WildFire email link analysis

Palo Alto Networks firewall with WildFire security subscription can request WildFire Cloud to analyze Web URLs seen in email messages passing the firewall.

By default PAN-OS will not forward any content found in encrypted sessions to WildFire Cloud, this includes Web URLs seen in TLS secured SMTP sessions. If you have configured decryption policy for incoming SMTP and wish to have Web URLs analyzed by WildFire you have to enable Allow forwarding of decrypted content setting in Device > Setup > Content-ID.

Allow forwarding of decrypted content
Allow forwarding of decrypted content

Web URLs are sent to WildFire in batches, 100 links at a time or at least every 2 minutes. Web URLs sent for analysis are not visible on Wildfire log of PAN-OS GUI, they are visible only in CLI mp-log wildfire-upload.log

[email protected]> less mp-log wildfire-upload.log
2018-03-14: http://xxxeruk.com/unsubscrx636b0= email-link upload success  PUB
2018-03-14: http://xxxxane.net//r/?id=ta3d8&eC email-link upload success  PUB
2018-03-14: http://xxxxyer.com/unsubscr6341fb= email-link upload success  PUB
2018-03-14: http://xxxxxa.club/link.php5=5&F=T email-link upload success  PUB
2018-03-14: http://xxxxxel.com/u_501043_174_50 email-link upload success  PUB

WildFire will download page content and analyze it for malicious content. If URL hosts a executable which behaves in malicious manner WildFire will update its malicious file signature database so that WildFire enabled firewalls may block newly discovered malware as soon as firewall downloads new WildFire content update. PAN-DB URL filtering will also be updated to flag malicious URLs as malware.

Example of Wildfire data flow
Example of Wildfire data flow

Leave a Reply