Back to Blogs
Palo Alto Networks WildFire Connector 2.3 for EDR Released
Palo Alto Networks WildFire Connector 2.3 for EDR Released
Posted on April 13, 2016
Changelog
This version of the WildFire connector upgrades the WildFire API to the latest version, fixing compatibility problems with both the cloud and on-premise WildFire appliances. The old API used by previous versions of the WildFire connector is no longer supported or available, so all users of the WildFire connector must upgrade for the connector to function.
Also included in this release:
- Fixes to high CPU usage. The connector should now use a very small CPU% when running.
- The connector now pulls down the PDF reports for any binaries that are determined to be “greyware” or “malware”. The reports are served from the same embedded HTTP server that provides the Cb feed. There may be firewall/IP issues - see below.
- This release is the first one to be built as a Python packaged binary rather than standalone binary; this does not affect most users, however, this solves problems for users whose
/tmpdirectory was set to noexec, preventing previous versions of the connectors from running properly.
File Reporting
The WildFire connector now automatically retrieves the PDF report for any “greyware” or “malware” binaries. Links to these reports are included in the feed provided to your Carbon Black server. In order for users to access these reports, you must have two items properly configured:
- The
feed_hostoption in the/etc/cb/integrations/wildfire/connector.conffile must be set to the IP or hostname where the connector is running. This IP/hostname must be accessible from any analyst machines that are used to retrieve the PDF reports. - The host firewall (
iptables) must be configured to allow incoming HTTP access to the feed port (default is 3774, set through thelistener_portoption in the configuration file above) so that analyst machines can retrieve the PDF reports.