Palo Alto Networks WildFire Integration

Communications

Palo Alto Networks WildFire is a firewall that analyzes network traffic, including applications, using the SHA-256 hash calculator. If you use Palo Alto Networks WildFire as a firewall, it integrates with Workspace ONE UEM using scheduled communications with the SHA-256 hash calculator to transfer data.

Workspace ONE UEM sends application hashes on schedule using the Workspace ONE Intelligent Hub for Android on devices and the Workspace ONE UEM Integration Service.
WildFire responds with three verdicts: malware, grayware, and benign.
Workspace ONE UEM creates two blacklisted app groups using malware and grayware verdicts. It records benign verdicts and does not resend hashes for benign applications.
Workspace ONE UEM calls to WildFire are synchronous and responses are immediate.
Integration uses port 443 for communication.

Process Flow

The App Scan Integration system includes alternating actions between Workspace ONE UEM and WildFire. Actions happen in a sequence so that the system reports accurate results and Workspace ONE UEM can act against threats identified by the system.


Workspace ONE UEM Pre-requisites	Configure an integration admin.
1. Workspace ONE UEM Actions	Enable communication. Sync either automatically with the scheduler or manually. Result – Workspace ONE UEM sends applications to WildFire.
2. WildFire Actions	Analyze application hashes. Identify offending Android applications. Result – WildFire sends results to Workspace ONE UEM.
3. Workspace ONE UEM Actions	Creates blacklisted app groups for grayware and malware applications. Configure compliance policies to act on devices with malicious applications. Result – Workspace ONE UEM acts as per compliance policies on offending devices.
Workspace ONE UEMTroubleshooting Options	View console events for integration activity. Deactivate blacklisted app groups. Reset integration.

Supported Components

App scan integration works for the listed applications. It is available for SaaS and on-premises customers, but it is available for only Android unmanaged applications.

This integration works using the Workspace ONE Intelligent Hub for Android v5.3 or later. Older Workspace ONE Intelligent Hub versions do not support integration.

Considerations

Consider these points to prevent issues or to help solve them.

Blacklisted Apps Remain Blacklisted
Once an application is blacklisted in the Workspace ONE UEM console using App Scan Integration it remains blacklisted unless unless you take action.
- Deactivate the blacklisted app group that includes the application.
- Reset the integration.
Consider how restrictive your WildFire rules are before performing an app reputation scan and edit rules as necessary.
Application Hashes, Application Versions, and Application Package Names
Although WildFire works with application hashes, Workspace ONE UEM app groups use the application package ID. The use of different components for analysis and management introduces the possibility to have an application version blacklisted in Workspace ONE UEM while WildFire considers a newer version benign. The new version remains blacklisted in Workspace ONE UEM due to its unchanged application package ID.
Customer Type Organization Group
You must configure App Scan Integration using a Customer type organization group. Integration does not work using any other type of organization group.
Android Application Control Profile and Blacklists
The blacklisted app groups created by this integration are not available to use in the Android application control profile.

Custom Admin Role

To manage the integration, create a special admin user with restrictive roles. Special roles help to separate configurations and changes made for integration, so that they do not affect other areas of your Workspace ONE UEM deployment.

You want this custom admin role to access the Third-Party Integration page and to add or make edits to app groups. Give integration admins these abilities by adding a custom admin role with the listed categories, also known as permissions.

If you do not want to create an integration admin, ensure that the appointed admin user has the listed categories.

Apps & Books > Application Groups > Application Group Update Active Status (Edit)
Apps & Books > Application Groups > Application Group Add Item (Edit)
Apps & Books > Application Groups > Application Group Edit Item (Edit)
Apps & Books > Application Groups > Application Group View (Read)
Settings > Apps > Catalog > Third-Party App Scanning (Edit)
Settings > Apps > Catalog > App Scan (Read)

Enable Integration

Add your Palo Alto Networks WildFire information to the Workspace ONE UEM console so that the two systems can share applications and scan results.

Navigate to Groups & Settings > All Settings > Apps > App Scan > Third-Party Integration.
Select to enable communication between Workspace ONE UEM and WildFire.

Select Palo Alto Networks WildFire for Choose App Scan Vendor and complete the settings.

Setting	Description
WildFire API Key	Enter the key for your WildFire system so Workspace ONE UEM can send application hashes directly to WildFire.

Results in App Groups

Use Workspace ONE UEM to identify those applications that failed an app scan. Workspace ONE UEM lists them in blacklisted app groups. The system prevents access to applications in blacklisted app groups for security. Deactivate a group if you know the applications are secure for use.

In Apps & Books > Applications > Application Settings > App Groups, use the Created By filter to sort the list by Palo Alto Networks WildFire.

Deactivate Blacklisted App Groups

If the system blacklisted an application that you need, deactivate WildFire blacklisted app groups.

Navigate to Apps & Books > Applications > Application Settings > App Groups.
Locate the Blacklisted app group with the needed application.
Select the drop-down icon from the actions menu () and select Deactivate.

When you deactivate these blacklisted app groups, Workspace ONE UEM takes these actions.

Workspace ONE UEM does not display them in the list when you build your Compliance policy.
Workspace ONE UEM removes the deactivated group from all Compliance policies.

Configure Compliance

Build an application compliance policy that acts on devices with non-compliant applications. Select Application List on the Rules tab and select Contains Vendor Blacklisted App(s) for integration.

To configure the compliance engine to monitor for applications from your reputation scanning system, add the blacklisted app group to the list. If the engine detects blacklisted applications on devices assigned to the compliance rule, the engine acts as configured in the rule.

Results of Resetting Integration

Resetting Palo Alto Networks WildFire integration results in numerous actions.

Disables the Third Party App Scan Analysis.
Removes the App Scan Integration account information from the Workspace ONE UEM console.
Removes the blacklisted app groups from the Workspace ONE UEM console created from third-party vendor scans.
Removes compliance policies created using the blacklisted app groups.

Another way to fix application issues is to deactivate blacklisted app groups. This option might fix issues without removing configurations.

Reset integration on the Third Party Integration page.

Monitor Integration With Console Events

Workspace ONE UEM lists events so that you can troubleshoot issues or find general information about systems configured in the console. Review console events in Monitor > Reports & Analytics > Events > Console Events. Events include the listed options.

App Scan Vendor Application Group Modified
Application Added To App Scan Vendor Application Group
Third Party Application Scanning Started
Error occurred while Third Party Application Scanning
Reset Perform for Third Party Application Scanning Vendor