- To take advantage of inline categorization, you must have an active Advanced URL Filtering subscription.Local inline categorization can be enabled if you are a pre-existing holder of a legacy URL Filtering subscription.Verify that you have an Advanced URL Filtering subscription. To verify subscriptions for which you have currently-active licenses, selectand verify that the appropriate licenses are available and have not expired.DeviceLicenses
- Update or create a new URL Filtering profile to enable cloud inline categorization.The policy action used by local and cloud inline categorization is dependent on the configured settings under theCategoriestab.
- Select an existingURL Filtering ProfileorAdda new one ().ObjectsSecurity ProfilesURL Filtering
- Select your URL Filtering profile and then go toInline Categorizationand enable the inline categorization methods you want to deploy.
- Enable cloud inline categorization—A cloud-based inline deep learning engine that analyzes suspicious web page content in real-time to protect users against zero-day web attacks, including targeted phishing attacks, and other web-based attacks that use advanced evasion techniques.
- ClickOKto exit the URL Filtering Profile configuration dialog andCommityour changes.
- (Optional)Add URL exceptions to your URL Filtering profile if you encounter false-positives. You can add exceptions by specifying an external dynamic list or custom URL category list in the URL Filtering profile. The specified exceptions apply to both cloud and local inline categorization.can also function as exceptions for inline categorization.URL exceptions created through other mechanisms that add entries to the custom URL category ()ObjectsCustom ObjectsURL Category
- SelectObjects > Security Profiles > URL Filtering.
- Select a URL Filtering profile for which you want to exclude specific URLs and then selectInline Categorization.
- ClickOKto save the URL Filtering profile andCommityour changes.
- (Optional)Set the Cloud Content Fully Qualified Domain Name (FQDN) used by the firewall to handle inline categorization service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the closest cloud services server. You can override the automatic server selection by specifying a regional cloud content server that best meets your data residency and performance requirements.The Cloud Content FQDN is a globally used resource and affects how other services that rely on this connection sends traffic payloads.Verify that the firewall uses the correct Content Cloud FQDN () for your region and change the FQDN if necessary:DeviceSetupContent-IDContent Cloud Setting
- UK—uk.hawkeye.services-edge.paloaltonetworks.comThe UK-based cloud content FQDN provides Advanced URL Filtering inline categorization service support by connecting to the backend service located in the EU (eu.hawkeye.services-edge.paloaltonetworks.com).
- (Optional)Verify the status of your firewall’s connectivity to the inline categorization servers.
- The ml.service.paloaltonetworks.com server provides periodic updates for firewall-based components related to the operation of cloud and local inline categorization.Use the following CLI command on the firewall to view the connection status.show mlav cloud-statusFor example:show mlav cloud-status MLAV cloud Current cloud server: ml.service.paloaltonetworks.com Cloud connection: connectedIf you are unable to connect to the inline ML cloud service, verify that the following domain is not being blocked: ml.service.paloaltonetworks.com.
- The hawkeye.services-edge.paloaltonetworks.com server is used by cloud inline categorization to handle service requests.Use the following CLI command on the firewall to view the connection status.show ctd-agent status security-clientFor example:show ctd-agent status security-client ... Security Client AceMlc2(1) Current cloud server: hawkeye.services-edge.paloaltonetworks.com Cloud connection: connected ...CLI output shortened for brevity.If you are unable to connect to the Advanced URL Filtering cloud service, verify that the following domain is not being blocked: hawkeye.services-edge.paloaltonetworks.com.
- Install an updated firewall device certificate used to authenticate to the Advanced URL Filtering cloud service. Repeat for all firewalls enabled for cloud inline categorization.
- (Optional—Cloud categorization only)Visit the following test URLs to verify that the Advanced URL Filtering service is properly categorizing URLs detected by cloud inline categorization:
- (Optional)Monitor the activity on the firewall to verify that the tested URLs have been properly categorized as real-time-detection.URLs categorized as real-time-detection include content analyzed by both local inline categorization (URL Filtering Inline ML) and cloud inline categorization.
- Selectand filter byMonitorLogsURL Filtering(url_category_list contains real-time-detection)to view logs that have been analyzed using Advanced URL Filtering.Additional web page category matches are also displayed and corresponds to the categories as defined by PAN-DB.
- Take a detailed look at the logs to verify that each type of web threat is correctly analyzed and categorized.In the next example, the URL is categorized as having been analyzed in real-time and possessing qualities that define it as command-and-control (C2). Because the C2 category has a more severe action associated with it than real-time-detection (block as opposed to alert), the URL is categorized as command-and-control and blocked.
Recommended For You
Recommended videos not found.