>
    PAN-OS
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced WildFire
    3. Configure Advanced WildFire Analysis
    4. Enable Advanced WildFire Inline ML
    5. PAN-OS
    Download PDF

    Advanced WildFire

    PAN-OS

    Table of Contents

    PAN-OS

    To enable your WildFire inline ML configuration, attach the Antivirus profile configured with the inline ML settings to a security policy rule.
    WildFire inline ML is not currently supported on the VM-50 or VM50L virtual appliance.
    1. To take advantage of WildFire inline ML, you must have an active WildFire subscription to analyze Windows executables.
      Verify that you have a WildFire subscription. To verify which subscriptions that you currently have licenses for, select
      Device
      Licenses
       and verify that the appropriate licenses display and have not expired.
    2. Create a new or update your existing Antivirus security profile(s) to use the real-time WildFire inline ML models.
      1. Select an existing
        Antivirus Profile
         or create a new one (select
        Objects > Security Profiles > Antivirus
         and
        Add
         a new profile.
      2. Configure your Antivirus profile.
      3. Select the
        WildFire Inline ML
         tab and apply an
        Action Setting
         for each WildFire Inline ML model. This enforces the WildFire Inline ML Actions settings configured for each protocol on a per model basis. The following classification engines available:
        • Windows Executables
        • PowerShell Scripts 1
        • PowerShell Scripts 2
        • Executable Linked Format (available with installation of PAN-OS content release 8367 and later)
        • MSOffice (available with installation of PAN-OS content release 8434 and later)
        • Shell Scripts (available with installation of PAN-OS content release 8543 and later)
        • enable (inherit per-protocol actions)
          —WildFire inspects traffic according to your selections in the WildFire Inline ML Action column in the decoders section of the
          Action
           tab.
        • alert-only (override more strict actions to alert)
          —WildFire inspects traffic according to your selections in the WildFire Inline ML Action column in the decoders section of the
          Action
           tab and overrides any action with a severity level higher than
          alert
           (
          drop
          ,
          reset-client
          ,
          reset-server
          ,
          reset-both
          )
          alert
          , which allows traffic to pass while still generating and saving an alert in the threat logs.
        • disable (for all protocols)
          —WildFire allows traffic to pass without any policy action.
      4. Click
        OK
         to exit the Antivirus Profile configuration window and
        Commit
         your new settings.
    3. (Optional)
       Add file exceptions to your Antivirus security profile if you encounter false-positives. This is typically done for users who are not forwarding files to WildFire for analysis. You can add the file exception details directly to the exception list or by specifying a file from the threat logs.
      If your WildFire Analysis security profile is configured to forward the filetypes analyzed using WildFire inline ML, false-positives are automatically corrected as they are received. If you continue to see ml-virus alerts for files that have been classified as benign by WildFire Analysis, please contact Palo Alto Networks Support.
      • Add file exceptions directly to the exception list.
        1. Select
          Objects > Security Profiles > Antivirus
          .
        2. Select an Antivirus profile for which you want to exclude specific files and then select
          WildFire Inline ML
          .
        3. Add the hash, filename, and description of the file that you want to exclude from enforcement.
        4. Click
          OK
           to save the Antivirus profile and then
          Commit
           your updates.
      • Add file exceptions from threat logs entries.
        1. Select
          Monitor > Logs > Threat
           and filter the logs for the
          ml-virus
           threat type. Select a threat log for a file that you wish to create a file exception for.
        2. Go to the
          Detailed Log View
           and scroll down to the
          Details
           pane then select
          Create Exception
          .
        3. Add a
          Description
           and click
          OK
           to add the file exception.
        4. The new file exception can be found
          File Exceptions
           list under
          Objects > Security Profiles > Antivirus > WildFire Inline ML
          .
    4. (Optional)
       Verify the status of your firewall’s connectivity to the Inline ML cloud service.
      Use the following CLI command on the firewall to view the connection status.
      show mlav cloud-status
      For example:
      show mlav cloud-status

MLAV cloud
Current cloud server:          ml.service.paloaltonetworks.com
Cloud connection:              connected
      If you are unable to connect to the Inline ML cloud service, verify that the following domain is not being blocked: ml.service.paloaltonetworks.com.
    To view information about files that have been detected using WildFire Inline ML, examine the threat logs (
    Monitor > Logs > Threat
    , then select the log type from the list). Files that have been analyzed using WildFire inline ML are labeled with the threat type
    ml-virus
    :

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.