PAN-OS

  1. To take advantage of inline categorization, you must have an active Advanced URL Filtering subscription.
    Local inline categorization can be enabled if you are a pre-existing holder of a legacy URL Filtering subscription.
    Verify that you have an Advanced URL Filtering subscription. To verify subscriptions for which you have currently-active licenses, select
    Device
    Licenses
    and verify that the appropriate licenses are available and have not expired.
  2. Update or create a new URL Filtering profile to enable cloud inline categorization.
    The policy action used by local and cloud inline categorization is dependent on the configured settings under the
    Categories
    tab.
    1. Select an existing
      URL Filtering Profile
      or
      Add
      a new one (
      Objects
      Security Profiles
      URL Filtering
      ).
    2. Select your URL Filtering profile and then go to
      Inline Categorization
      and enable the inline categorization methods you want to deploy.
      • Enable cloud inline categorization
        —A cloud-based inline deep learning engine that analyzes suspicious web page content in real-time to protect users against zero-day web attacks, including targeted phishing attacks, and other web-based attacks that use advanced evasion techniques.
      • Enable local inline categorization
        —A firewall-based detection engine using machine learning techniques to prevent malicious variants of JavaScript exploits and phishing attacks embedded in webpages.
    3. Click
      OK
      to exit the URL Filtering Profile configuration dialog and
      Commit
      your changes.
  3. (Optional)
    Add URL exceptions to your URL Filtering profile if you encounter false-positives. You can add exceptions by specifying an external dynamic list or custom URL category list in the URL Filtering profile. The specified exceptions apply to both cloud and local inline categorization.
    URL exceptions created through other mechanisms that add entries to the custom URL category (
    Objects
    Custom Objects
    URL Category
    )
    can also function as exceptions for inline categorization.
    1. Select
      Objects > Security Profiles > URL Filtering
      .
    2. Select a URL Filtering profile for which you want to exclude specific URLs and then select
      Inline Categorization
      .
    3. Click
      Add
      to select a pre-existing URL-based external dynamic list or custom URL category. If none is available, create a new external dynamic list or custom URL category, respectively.
    4. Click
      OK
      to save the URL Filtering profile and
      Commit
      your changes.
  4. (Optional)
    Set the Cloud Content Fully Qualified Domain Name (FQDN) used by the firewall to handle inline categorization service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the closest cloud services server. You can override the automatic server selection by specifying a regional cloud content server that best meets your data residency and performance requirements.
    The Cloud Content FQDN is a globally used resource and affects how other services that rely on this connection sends traffic payloads.
    Verify that the firewall uses the correct Content Cloud FQDN (
    Device
    Setup
    Content-ID
    Content Cloud Setting
    ) for your region and change the FQDN if necessary:
    • US—
      us.hawkeye.services-edge.paloaltonetworks.com
    • EU—
      eu.hawkeye.services-edge.paloaltonetworks.com
    • UK—
      uk.hawkeye.services-edge.paloaltonetworks.com
      The UK-based cloud content FQDN provides Advanced URL Filtering inline categorization service support by connecting to the backend service located in the EU (eu.hawkeye.services-edge.paloaltonetworks.com).
    • APAC—
      apac.hawkeye.services-edge.paloaltonetworks.com
  5. (Optional)
    Verify the status of your firewall’s connectivity to the inline categorization servers.
    1. The ml.service.paloaltonetworks.com server provides periodic updates for firewall-based components related to the operation of cloud and local inline categorization.
      Use the following CLI command on the firewall to view the connection status.
      show mlav cloud-status
      For example:
      show mlav cloud-status MLAV cloud Current cloud server: ml.service.paloaltonetworks.com Cloud connection: connected
      If you are unable to connect to the inline ML cloud service, verify that the following domain is not being blocked: ml.service.paloaltonetworks.com.
    2. The hawkeye.services-edge.paloaltonetworks.com server is used by cloud inline categorization to handle service requests.
      Use the following CLI command on the firewall to view the connection status.
      show ctd-agent status security-client
      For example:
      show ctd-agent status security-client ... Security Client AceMlc2(1) Current cloud server: hawkeye.services-edge.paloaltonetworks.com Cloud connection: connected ...
      CLI output shortened for brevity.
      If you are unable to connect to the Advanced URL Filtering cloud service, verify that the following domain is not being blocked: hawkeye.services-edge.paloaltonetworks.com.
  6. (Optional—Cloud categorization only)
    Visit the following test URLs to verify that the Advanced URL Filtering service is properly categorizing URLs detected by cloud inline categorization:
  7. (Optional)
    Monitor the activity on the firewall to verify that the tested URLs have been properly categorized as real-time-detection.
    URLs categorized as real-time-detection include content analyzed by both local inline categorization (URL Filtering Inline ML) and cloud inline categorization.
    1. Select
      Monitor
      Logs
      URL Filtering
      and filter by
      (url_category_list contains real-time-detection)
      to view logs that have been analyzed using Advanced URL Filtering.
      Additional web page category matches are also displayed and corresponds to the categories as defined by PAN-DB.
    2. Take a detailed look at the logs to verify that each type of web threat is correctly analyzed and categorized.
      In the next example, the URL is categorized as having been analyzed in real-time and possessing qualities that define it as command-and-control (C2). Because the C2 category has a more severe action associated with it than real-time-detection (block as opposed to alert), the URL is categorized as command-and-control and blocked.
    3. The
      Inline Categorization Verdict
      is displayed under the
      Details
      pane of the detailed log view. Web pages that have been determined by local inline categorization to contain threats are categorized with verdicts of either
      phishing
      or
      malicious-javascript
      . Cloud inline categorized verdicts are shown as
      cloud
      .

Recommended For You