Advanced Threat Prevention Powered by Precision AI™
Configure Inline Cloud Analysis
Table of Contents
Configure Inline Cloud Analysis
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Inline Cloud Analysis is an Advanced Threat Prevention feature that enables the detection of
advanced, highly-evasive zero-day command-and-control (C2) threats and command
injection and SQL injection vulnerabilities in real-time by querying the Advanced
Threat Prevention cloud service. Inline Cloud Analysis protection is delivered
through your Anti-Spyware and Vulnerability Protection security profiles, with
advanced C2 (command-and-control) and spyware threats handled by the former, and
command injection and SQL injection vulnerabilities by the latter.
Supported firewalls operating PAN-OS 11.2 and later deployments can also access Local
Deep Learning for Advanced Threat Prevention. Local Deep Learning complements the
cloud-based Inline Cloud Analysis component of Advanced Threat Prevention by
providing a mechanism to perform fast, local deep learning-based analysis of
zero-day and other evasive threats. Updates to Local Deep Learning models are
delivered through content updates. Due to the additional system resources necessary
to run local Deep Learning detection modules, Local Deep Learning is only available
on the following platforms:
- PA-5400 Series, excluding the PA-5450 appliance.
- VM-Series (must allocate at least 16GB of total memory)
- VM-Series Public Cloud
- VM-Series Private Cloud
To enable and configure Inline Cloud Analysis, and Local Deep Learning, you must activate your
Advanced Threat Prevention license and create (or modify) the Anti-Spyware and
Vulnerability Protection security profile. Then configure the policy settings for
each category analysis engine and then attach the profiles to a security policy
rule.
For more information on creating security policy rules, refer to the Policy chapter of the PAN-OS®
Administrator’s Guide.
Configure Inline Cloud Analysis (Strata Cloud Manager)
Strata Cloud Manager
)- To take advantage of inline cloud analysis, you must have an activePrisma Accesssubscription, which provides access to Advanced Threat Prevention features. For information about the applications and services offered withPrisma Access, refer to All Available Apps and Services.To verify subscriptions for which you have currently-active licenses, Check What’s Supported With Your License.
- Use the credentials associated with your Palo Alto Networks support account and log in to theStrata Cloud Manageron the hub.
- Update or create a new Anti-Spyware Security profile to enable inline cloud analysis (to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time).
- Select.ManageConfigurationNGFW andPrisma AccessSecurity ServicesAnti-Spyware
- Select your Anti-Spyware security profile and then go toInline Cloud Analysispanel andEnable Inline Cloud Analysis.
- Specify anActionto take when a threat is detected using a corresponding analysis engine.The default action for each analysis engine isalert, however, Palo Alto Networks recommends setting all actions toReset-Bothfor the best security posture.
- Allow—The request is allowed and no log entry is generated.
- Alert—The request is allowed and a Threat log entry is generated.
- Drop—Drops the request; a reset action is not sent to the host/application.
- Reset-Client—Resets the client-side connection.
- Reset-Server—Resets the server-side connection.
- Reset-Both—Resets the connection on both the client and server ends.
- ClickOKto exit the Anti-Spyware Profile configuration dialog andCommityour changes.
- (Optional)Add URL and/or IP address exceptions to your Anti-Spyware profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or anAddressespolicy object.
- Add anExternal Dynamic Listsor [IP]Addressesobject exception.
- Select.ManageConfigurationAnti-Spyware
- Select an Anti-Spyware profile for which you want to exclude specific URLs and/or IP addresses and then go to theInline Cloud Analysispane.
- Add EDL/URLorAdd IP Address, depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list policy object. For IP address exceptions, you can, optionally, select anAddressesobject list.
- ClickOKto save the Anti-Spyware profile andCommityour changes.
- (Optional)Monitor Advanced Threat Prevention
Configure Inline Cloud Analysis (PAN-OS & Panorama)
Advanced Threat Prevention Inline Cloud Analysis supports multiple detection
engines, which require different minimum PAN-OS releases to enable:
- Detection of advanced C2 (command-and-control) and spyware threats requires PAN-OS 10.2 and later.
- Detection of zero-day exploit threats requires PAN-OS 11.0 and later.
- Support for LDL (Local Deep Learning) requires PAN-OS 11.2 and later.
- To take advantage of inline cloud analysis, you must have an active Advanced Threat Prevention subscription.To verify subscriptions for which you have currently-active licenses, selectand verify that the appropriate licenses are available and have not expired.DeviceLicenses
- Update or create a new Anti-Spyware Security profile to enable inline cloud analysis (to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time).
- Select an existingAnti-Spyware ProfileorAdda new one ().ObjectsSecurity ProfilesAnti-Spyware
- Select your Anti-Spyware profile and then go toInline Cloud AnalysisandEnable inline cloud analysis.
- (Local Deep Learning [Supported in PAN-OS 11.2 and later])Selectenablefor each available analysis engine with aLocal Deep Learning (LDL)option. There are currently two analysis engines available with an optional LDL mode:HTTP Command and Control detectorandHTTP2 Command and Control detector.
- Specify anActionto take when a threat is detected using a corresponding analysis engine.The default action for each analysis engine isalert, however, Palo Alto Networks recommends setting all actions toReset-Bothfor the best security posture.
- Allow—The request is allowed and no log entry is generated.
- Alert—The request is allowed and a Threat log entry is generated.
- Drop—Drops the request; a reset action is not sent to the host/application.
- Reset-Client—Resets the client-side connection.
- Reset-Server—Resets the server-side connection.
- Reset-Both—Resets the connection on both the client and server ends.
- ClickOKto exit the Anti-Spyware Profile configuration dialog andCommityour changes.
- (Optional)Add URL and/or IP address exceptions to your Anti-Spyware profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or anAddressesobject.
- Add anExternal Dynamic Listsor [IP]Addressesobject exception.
- SelectObjects > Security Profiles > Anti-Spyware.
- Select an Anti-Spyware profile for which you want to exclude specific URLs and/or IP addresses and then selectInline Cloud Analysis.
- AddanEDL URLorIP Address, depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list. For IP address exceptions, you can, optionally, select anAddressesobject list.Anti-spyware profiles that are configured asSharedon Panorama-managed firewalls cannot have IP address objects added to the Inline Cloud Analysis exceptions list.
- ClickOKto save the Anti-Spyware profile andCommityour changes.
- (Supported in PAN-OS 11.0 and later)Update or create a new Vulnerability Protection Security profile to enable inline cloud analysis (to analyze traffic for command injection and SQL injection vulnerabilities in real-time).
- Select an existing Vulnerability Protection security profile orAdda new one ().ObjectsSecurity ProfilesVulnerability Protection
- Select your Vulnerability Protection profile and then go toInline Cloud AnalysisandEnable cloud inline analysis.
- Specify anActionto take when a vulnerability exploit is detected using a corresponding analysis engine. There are currently two analysis engines available:SQL InjectionandCommand Injection.
- Allow—The request is allowed and no log entry is generated.
- Alert—The request is allowed and a Threat log entry is generated.
- Reset-Client—Resets the client-side connection.
- Reset-Server—Resets the server-side connection.
- Reset-Both—Resets the connection on both the client and server ends.
- ClickOKto exit the Vulnerability Protection Profile configuration dialog andCommityour changes.
- (Optional)Add URL and/or IP address exceptions to your Vulnerability Protection profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or anAddressesobject.
- Add anExternal Dynamic Listsor [IP]Addressesobject exception.
- SelectObjects > Security Profiles > Vulnerabilityto return to your Vulnerability Protection profile.
- Select a Vulnerability profile for which you want to exclude specific URLs and/or IP addresses and then selectInline Cloud Analysis.
- AddanEDL URLorIP Address, depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list. For IP address exceptions, you can, optionally, select anAddressesobject list.Vulnerability profiles that are configured asSharedon Panorama-managed firewalls cannot have IP address objects added to the Inline Cloud Analysis exceptions list.
- ClickOKto save the Vulnerability Protection profile andCommityour changes.
- Configure the timeout latency and action to take when the request exceeds the max latency.
- Select.DeviceSetupContent-IDThreat Prevention Inline Cloud Analysis
- Specify the timeout value and the associated action to take when latency limits are reached for Inline Cloud Analysis requests:
- Max Latency (ms)—Specify the maximum acceptable processing time, in seconds, for Inline Cloud Analysis to return a result.
- Allow on Max Latency—Enables the firewall to take the action of allow, when the maximum latency is reached. De-selecting this option sets the firewall action to block.
- Log Traffic Not Scanned— Enables the firewall to log traffic requests that exhibit anomalous traits indicating the presence of advanced and evasive command-and-control (C2) threats, but have not been processed by Threat Prevention Inline Cloud analyzers.
- ClickOKto confirm your changes.
- Install a Device Certificate Repeat for all firewalls enabled for inline cloud analysis.
- (Optional)Set the Cloud Content Fully Qualified Domain Name (FQDN) used by the firewall to handle inline cloud analysis service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the closest cloud services server. You can override the automatic server selection by specifying a regional cloud content server that best meets your data residency and performance requirements.The Cloud Content FQDN is a globally used resource and affects how other services that rely on this connection sends traffic payloads.Verify that the firewall uses the correct Content Cloud FQDN () for your region and change the FQDN if necessary:DeviceSetupContent-IDContent Cloud SettingIf your NGFW is configured inline to facilitate a SaaS Security deployment, please note that the FQDNs located in France and Japan do not currently support SaaS Security functionality.
- US Central (Iowa, US)—us.hawkeye.services-edge.paloaltonetworks.com
- Europe (Frankfurt, Germany)—eu.hawkeye.services-edge.paloaltonetworks.com
- APAC (Singapore)—apac.hawkeye.services-edge.paloaltonetworks.com
- India (Mumbai)—in.hawkeye.services-edge.paloaltonetworks.com
- UK (London, England)—uk.hawkeye.services-edge.paloaltonetworks.com
- France (Paris, France)—fr.hawkeye.services-edge.paloaltonetworks.com
- Japan (Tokyo, Japan)—jp.hawkeye.services-edge.paloaltonetworks.com
- Australia (Sydney, Australia)—au.hawkeye.services-edge.paloaltonetworks.com
- Canada (Montréal, Canada)—ca.hawkeye.services-edge.paloaltonetworks.com
- Switzerland (Zürich, Switzerland)—ch.hawkeye.services-edge.paloaltonetworks.com
- (Optional)Verify the status of your firewall connectivity to the Advanced Threat Prevention cloud service.Use the following CLI command on the firewall to view the connection status.show ctd-agent status security-clientFor example:show ctd-agent status security-client ... Security Client AceMlc2(1) Current cloud server: hawkeye.services-edge.paloaltonetworks.com Cloud connection: connected ...CLI output shortened for brevity.If you are unable to connect to the Advanced Threat Prevention cloud service, verify that the following domain is not being blocked: hawkeye.services-edge.paloaltonetworks.com.
- (Optional)Monitor Advanced Threat Prevention