Enabling WildFire public cloud analysis from Carbon Black App Control increases the number of WildFire queries per day. If the number of queries sent to the WildFire cloud per day exceeds the daily limitation, consider reducing or eliminating automated file submissions or modifying the filters determining what is submitted.
The WildFire query count is incremented by the integration under the following circumstances:
- When Carbon Black App Control receives logs from a Palo Alto Networks appliance, the logs can reference WildFire reports. If the Enable Additional Lookups box is checked on the Palo Alto Networks Integration page, the WildFire cloud is queried for each log entry that needs to be referenced. If your query count is exceeding the limit, consider disabling this automatic query.
- During initial import of data from the WildFire log of the Palo Alto Networks appliance after the integration is configured, a high volume of queries can occur at one time, depending on how many days you configured for Initial Import and how many WildFire log entries exist on the firewall for that period.
- When a file is submitted from Carbon Black App Control to the cloud for analysis, either manually or automatically through an Event Rule, there is one WildFire query to see if the hash for that file is already known. If it is known, it will not be uploaded and this will be the only query. If it is not known, there will be another query to submit the file and one to query for the results of the analysis.
- If an Event Rule initiates upload of a file to the WildFire cloud but the query limit for the day has already been reached, processing of that file is delayed until the next day. This allows the license count to reset. Carbon Black App Control initiates this delay automatically, and this state is reported as tooltip if you hover the mouse cursor over the
Status
field of an affected file on the Analyzed Files page.