Palo Alto Networks Brings Malware Security Down from the Cloud

On-premises network security components typically include firewall and IPS technologies. Palo Alto Networks is now adding a third device to the mix with its WF-500 appliance for detecting malware and advanced persistent threats (APTs).

The WF-500 is the on-premises version of Palo Alto’s WildFire cloud-based security service. A service that examines unknown network payloads for potential malicious behavior, WildFire first debuted as a cloud-only service in November 2012 and is now being brought on-premises with the WF-500.

“With everything that comes into the firewall, if we don’t know what it is, then we throw it in the sandbox and do some analysis to see if it’s good, bad, or indifferent,” Wade Williamson, senior security analyst at Palo Alto, explained to Enterprise Networking Planet.

The WildFire cloud service sends data from the enterprise’s firewall to the Palo Alto service. With the WF-500, on the other hand, the local physical appliance performs the analysis. Williamson noted that some customer networks will not allow any data to be sent outside their networks, creating a need for a local device.

The WF-500 is an out-of-band device that is not in the main packet stream. Williamson explained that the device will execute unknown packets inside its own virtualized sandbox to see what happens.

“Where we see a lot of malware coming from is via web-based sources and things that need to be rendered really quickly,” Williamson said. “So when you’re doing that first analysis, it’s almost always out-of-band.”

The fact that the analysis is done out-of-band means that the WF-500 does not immediately provide real-time protection for unique, brand-new zero-day threats. Williamson said that when and if the WF-500 finds new threats as a result of analysis, the enterprise can go back to its firewall and provide new policy and rules to block the threat in the future.


The WF-500 system provides users with what Williamson described as a “real” signature, with which a Palo Alto firewall could then block future iterations of the same attack or malware.

“It’s not a heuristic signature, but we are finding unique identifiers both in the header and the body of the payload,” Williamson said.

Williamson noted that the Palo Alto signatures also take into account multiple contextual elements learned from the sandbox analysis.

“What we’re not doing is just saying something is a bad hash value, so the malware signatures that we have are better than the average bear,” Williamson said.

Sean Michael Kerner is a senior editor at Enterprise Networking Planet and Follow him on Twitter @TechJournalist.

Latest Articles

Follow Us On Social Media

Explore More