Back to All Scenarios
PASSEDvendor / paloalto_wildfire_sandbox_failure
Palo Alto WildFire Sandbox Analysis Failure
The PA-5250 WildFire cloud connection fails, causing all unknown file verdicts to default to 'allow' per policy. Potentially malicious files bypass inspection for 3 hours before detection.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 21 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
PA-5250 with WildFire subscription. Cloud WildFire (not local WF-500). Internet proxy change broke WildFire API connectivity. Default action on WildFire unreachable: allow. 3-hour gap in file analysis.
Injected Error Messages (2)
palo alto wildfire cloud connectivity lost — PA-5250 unable to submit samples to wildfire cloud for analysis, all unknown file verdicts defaulting to 'allow' per security profile, palo alto wildfire submission queue backed up with 2847 pending samples, wildfire API returning connection errors, file-based threats bypassing inspection
palo alto PA-5250 system log: wildfire cloud unreachable for 3 hours — proxy configuration change blocked wildfire API traffic on port 443 to wildfire.paloaltonetworks.com, palo alto forwarding profile action on wildfire-unreachable set to 'allow', security posture weakened, 2847 files passed without cloud verdict analysis
Neural Engine Root Cause Analysis
The Palo Alto PA-5250 firewall has lost connectivity to the WildFire cloud service, preventing malware analysis submission. This is causing a security control failure where unknown files are defaulting to 'allow' status, creating a significant security gap. The 2,847 backed-up samples and connection errors suggest either network connectivity issues, DNS resolution problems, or authentication/SSL certificate issues between the firewall and WildFire cloud service.
Remediation Plan
1. Check network connectivity from PA-5250 to WildFire cloud endpoints (wildfire.paloaltonetworks.com). 2. Verify DNS resolution is working for WildFire domains. 3. Check SSL certificate validity and trust chain. 4. Validate WildFire subscription status and API credentials. 5. Review firewall logs for specific connection errors. 6. Test connectivity using PA CLI 'test wildfire cloud' command. 7. If connectivity issues persist, check upstream network infrastructure and routing. 8. Consider temporarily adjusting security profiles to block unknown files instead of allow until connectivity is restored.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnck4bdw06ltobqeh2yvwgtg