Three Tiers: Basic → WildFire → Advanced WildFire

Basic WildFire (Free — built into NGFW)

The basic WildFire service is included as part of the Palo Alto Networks NGFW and does not require any subscription. With the basic service, the firewall can forward portable executable (PE) files for analysis, and can retrieve WildFire signatures only with antivirus and/or Threat Prevention updates, which are made available every 24–48 hours.

WildFire Subscription

The WildFire subscription provides protection from malware by forwarding samples to the Advanced WildFire cloud, where a series of analysis environments detect and prevent unknown malware threats. It includes access to regular Advanced WildFire signature updates, advanced file type forwarding, and the ability to upload files using the WildFire API. It also supports forwarding files to a local WildFire appliance for on-prem environments.

Key upgrade over Basic:

Signature updates every 5 minutes (vs. 24–48 hrs)
Broader file type forwarding (not just PE files)
WildFire API access

Advanced WildFire Subscription (PAN-OS 10.0+)

The Advanced WildFire subscription includes all features of the standard WildFire subscription, and improves upon it by providing sample analysis through an advanced cloud-based detector. The advanced detection system analyzes samples using intelligent real-time runtime memory analysis, runtime DLL emulation, automated unpacking, family classification, stealth observation, and other techniques to target highly-evasive malware.

Additional capabilities over standard WildFire:

Inline Cloud Analysis — real-time cloud-based ML engines detect and block never-before-seen malware inline, without waiting for a full sandbox verdict. Requires an active Advanced WildFire license.
Custom hardened hypervisor — remains invisible to malware, capturing malicious behavior even during in-memory execution, with automated unpacking and dependency emulation to unravel hidden malware behaviors.
Signatures distributed to customers in a ~5-minute window for newly detected threats, eliminating "patient zero" scenarios — 60× faster than competitors.
Uses 25+ patented detection techniques — static, dynamic, and intelligent runtime memory assessments — versus traditional sandboxing approaches.

Summary Comparison

Feature	Basic (Free)	WildFire	Advanced WildFire
PE file forwarding	✅	✅	✅
Advanced file types (Office, PDF, APK, etc.)	❌	✅	✅
Signature update speed	24–48 hrs	5 min	Real-time / 5 min
WildFire API access	❌	✅	✅
On-prem appliance support	❌	✅	✅
Inline ML (block before verdict)	❌	❌	✅
Runtime memory analysis	❌	❌	✅
Evasion-resistant sandbox (25+ techniques)	❌	❌	✅
DLL emulation / automated unpacking	❌	❌	✅
Stealth observation mode	❌	❌	✅
PAN-OS requirement	Any	Any	10.0+

Bottom line: The standard WildFire subscription gets you fast signature updates and broad file type coverage. Advanced WildFire adds a fundamentally different analysis engine — one purpose-built to catch evasive, zero-day threats that are designed to defeat traditional sandboxes. For organizations dealing with sophisticated threats, Advanced WildFire is the meaningful upgrade.

WildFire Verdict vs. Firewall Action — They're Independent

The WildFire verdict and the firewall action come from two different enforcement points that operate at different times.

Why "Malicious" verdict + "Allow" action can co-exist

1. WildFire Analysis Happens AFTER the File is Delivered

By default, the firewall forwards a file to WildFire for analysis while simultaneously allowing it to pass (forward action = allow delivery).
The verdict (malicious/benign/grayware) comes back asynchronously — often seconds to minutes later.
The log entry you see is the WildFire submission log, not a traffic block log. The file was already delivered when the log was created.

2. The "Action" Field in WildFire Logs Reflects the File Forwarding Action

In WildFire Submission logs, the action field shows what happened to the file forwarding, not whether the session was blocked.
allow = the file was forwarded to WildFire for analysis and delivered to the endpoint.

3. Your Security Profile May Not Be Set to Block The WildFire Analysis Profile controls what happens on future sessions after a signature is pushed. If your profile's action for "malicious" verdict is set to allow instead of block or reset-both, traffic will not be blocked even after the verdict is known.

How Blocking Actually Works

File seen → [Forward to WildFire] → Verdict returned (async)
                                          ↓
                               Signature pushed to firewall
                                          ↓
                          Next time file is seen → BLOCKED
                          (if profile action = block)

The first occurrence of a malicious file is almost always delivered. Blocking happens on subsequent encounters via signature updates.

Key Takeaway

"Allow" in a WildFire submission log does not mean the firewall approved a malicious file — it means the file was forwarded for analysis at the time of transit. To enforce blocking, your WildFire Analysis Security Profile must have the malicious verdict action set to block, and Advanced WildFire (inline ML) is needed for true zero-day first-pass blocking.

WildFire Analysis Profile ≠ Blocking Profile

The WildFire Analysis Profile only controls which files get forwarded to WildFire and where (public cloud, private, both). There is no "block" option here. This profile is purely about telemetry/submission, not enforcement.

Blocking is Controlled by the Antivirus Profile

The actual enforcement happens in the Antivirus (AV) Security Profile:

Objects > Security Profiles > Antivirus

Inside the AV profile, there's a WildFire Inline ML tab and importantly the WildFire Action column in the signature-based Action tab, where you can set:

default → follows Palo Alto's recommended action (usually block/reset)
allow
alert
block
reset-client / reset-server / reset-both
drop-connection

What to Check

1. Antivirus Profile — WildFire Action

Go to Objects > Security Profiles > Antivirus
Look at the WildFire Action column for each protocol (HTTP, FTP, SMTP, etc.)
Set to reset-both or block for malicious verdicts

2. Attach the AV Profile to your Security Policy

Go to Policies > Security > [your rule] > Actions tab
Confirm an Antivirus profile with the correct actions is attached

3. For First-Pass / Zero-Day Blocking

You need Advanced WildFire (inline ML license)
Enabled under the AV profile's WildFire Inline ML tab
This is the only way to block a file before the verdict comes back

Summary

Profile	Purpose	Has Block?
WildFire Analysis Profile	Controls file forwarding to WildFire	❌ No
Antivirus Profile	Enforces verdicts via signatures	✅ Yes
Advanced WildFire (Inline ML)	Blocks on first pass, no verdict needed	✅ Yes

The WildFire Analysis Profile and the Antivirus Profile must both be attached to the same security policy rule for the full chain to work.

WildFire Verdict: MALICIOUS

│

├──► Signature created → pushed to all firewalls (every 5 min)

│ └──► AV Profile blocks file on next encounter

│

├──► Threat log entry → SOC investigation

│

├──► AutoFocus intelligence → XSOAR playbook automation

│

├──► Cortex XDR → endpoint quarantine / isolation

│

└──► PAN-DB / DNS Security → source URL/domain blocked

Bottom Line

Usage	Informational?	Enforcement?
WildFire Submission Log	✅	❌
AV Signature (next encounter)	❌	✅
Threat Log	✅	❌
Cortex XDR response	❌	✅
AutoFocus / XSOAR	Both	Both
DNS Security / URL Filtering	❌	✅

The verdict is the trigger for a chain of enforcement actions — but how much of that chain is active depends on which Palo Alto products and profiles you have configured.

==============

Test a Sample Malware File

https://docs.paloaltonetworks.com/advanced-wildfire/administration/configure-advanced-wildfire-analysis/verify-wildfire-submissions/test-a-sample-malware-file

Net Worker World

Search This Blog

Palo Alto WildFire