PAN-OS

  1. To take advantage of inline cloud analysis, you must have an active Advanced Threat Prevention subscription.
    To verify subscriptions for which you have currently-active licenses, select
    Device
    Licenses
    and verify that the appropriate licenses are available and have not expired.
  2. Update or create a new Anti-Spyware Security profile to enable inline cloud analysis (to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time).
    1. Select an existing
      Anti-Spyware Profile
      or
      Add
      a new one (
      Objects
      Security Profiles
      Anti-Spyware
      ).
    2. Select your Anti-Spyware profile and then go to
      Inline Cloud Analysis
      and
      Enable inline cloud analysis
      .
    3. Specify an
      Action
      to take when a threat is detected using a corresponding analysis engine.
      The default action for each analysis engine is
      alert
      , however, Palo Alto Networks recommends setting all actions to
      Reset-Both
      for the best security posture.
      • Allow
        —The request is allowed and no log entry is generated.
      • Alert
        —The request is allowed and a Threat log entry is generated.
      • Drop
        —Drops the request; a reset action is not sent to the host/application.
      • Reset-Client
        —Resets the client-side connection.
      • Reset-Server
        —Resets the server-side connection.
      • Reset-Both
        —Resets the connection on both the client and server ends.
    4. Click
      OK
      to exit the Anti-Spyware Profile configuration dialog and
      Commit
      your changes.
  3. (Optional)
    Add URL and/or IP address exceptions to your Anti-Spyware profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or an
    Addresses
    object.
    1. Add an
      External Dynamic Lists
      or [IP]
      Addresses
      object exception.
    2. Select
      Objects > Security Profiles > Anti-Spyware
      .
    3. Select an Anti-Spyware profile for which you want to exclude specific URLs and/or IP addresses and then select
      Inline Cloud Analysis
      .
    4. Add
      an
      EDL URL
      or
      IP Address
      , depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list. For IP address exceptions, you can, optionally, select an
      Addresses
      object list.
    5. Click
      OK
      to save the Anti-Spyware profile and
      Commit
      your changes.
  4. Update or create a new Vulnerability Protection Security profile to enable inline cloud analysis (to analyze traffic for command injection and SQL injection vulnerabilities in real-time).
    Currently available only in PAN-OS 11.0.
    1. Select an existing Vulnerability Protection security profile or
      Add
      a new one (
      Objects
      Security Profiles
      Vulnerability Protection
      ).
    2. Select your Vulnerability Protection profile and then go to
      Inline Cloud Analysis
      and
      Enable cloud inline analysis
      .
    3. Specify an
      Action
      to take when a vulnerability exploit is detected using a corresponding analysis engine. There are currently two analysis engines available:
      SQL Injection
      and
      Command Injection
      .
      • Allow
        —The request is allowed and no log entry is generated.
      • Alert
        —The request is allowed and a Threat log entry is generated.
      • Reset-Client
        —Resets the client-side connection.
      • Reset-Server
        —Resets the server-side connection.
      • Reset-Both
        —Resets the connection on both the client and server ends.
    4. Click
      OK
      to exit the Vulnerability Protection Profile configuration dialog and
      Commit
      your changes.
  5. (Optional)
    Add URL and/or IP address exceptions to your Vulnerability Protection profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or an
    Addresses
    object.
    1. Add an
      External Dynamic Lists
      or [IP]
      Addresses
      object exception.
    2. Select
      Objects > Security Profiles > Vulnerability
      to return to your Vulnerability Protection profile.
    3. Select a Vulnerability profile for which you want to exclude specific URLs and/or IP addresses and then select
      Inline Cloud Analysis
      .
    4. Add
      an
      EDL URL
      or
      IP Address
      , depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list. For IP address exceptions, you can, optionally, select an
      Addresses
      object list.
    5. Click
      OK
      to save the Vulnerability Protection profile and
      Commit
      your changes.
  6. Install a Device Certificate Repeat for all firewalls enabled for inline cloud analysis.
  7. (Optional)
    Set the Cloud Content Fully Qualified Domain Name (FQDN) used by the firewall to handle inline cloud analysis service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the closest cloud services server. You can override the automatic server selection by specifying a regional cloud content server that best meets your data residency and performance requirements.
    The Cloud Content FQDN is a globally used resource and affects how other services that rely on this connection sends traffic payloads.
    Verify that the firewall uses the correct Content Cloud FQDN (
    Device
    Setup
    Content-ID
    Content Cloud Setting
    ) for your region and change the FQDN if necessary:
    • US—
      us.hawkeye.services-edge.paloaltonetworks.com
    • EU—
      eu.hawkeye.services-edge.paloaltonetworks.com
    • UK—
      uk.hawkeye.services-edge.paloaltonetworks.com
      The UK-based cloud content FQDN provides Advanced Threat Prevention inline cloud analysis service support by connecting to the backend service located in the EU (eu.hawkeye.services-edge.paloaltonetworks.com).
    • APAC—
      apac.hawkeye.services-edge.paloaltonetworks.com
    • India—
      in.hawkeye.services-edge.paloaltonetworks.com
  8. (Optional)
    Verify the status of your firewall connectivity to the Advanced Threat Prevention cloud service.
    Use the following CLI command on the firewall to view the connection status.
    show ctd-agent status security-client
    For example:
    show ctd-agent status security-client ... Security Client AceMlc2(1) Current cloud server: hawkeye.services-edge.paloaltonetworks.com Cloud connection: connected ...
    CLI output shortened for brevity.
    If you are unable to connect to the Advanced Threat Prevention cloud service, verify that the following domain is not being blocked: hawkeye.services-edge.paloaltonetworks.com.

Recommended For You