AI Runtime Security
Create an AI Security Profile
Table of Contents
Create an AI Security Profile
Create an AI security profile to enable AI application protection, AI data
protection, and AI model protections to your security policy rules.
This page helps you create an AI security profile and associate it with a
security policy rule to monitor the AI traffic passing through AI Runtime Security: Network intercept (AI firewall) managed by Strata Cloud Manager or Panorama.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
An AI security profile protects only AI traffic and you can configure the
profile with the following protections:
- AI application protection with URL categorization.
- AI model protection to protect your AI models against threats such as prompt injections.
- AI data protection to protect against threats such as sensitive data leakage.
This profile can only be configured from Strata Cloud Manager or Panorama.
SCM
Create an AI security profile to enable AI application protection, AI data
protection, and AI model protections to your security policy rules.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
- Log in to Strata Cloud Manager.
- Navigate to Manage → Configuration → NGFW and Prisma Access → Security Services → AI Security.
- Select the Configuration Scope as Global or limit it to your AI security profile.
- Select AI Security → Add Profile.
- Enter a Name and a Description.
- Add Model Group for customized protections. See Create Model Groups for Customized Protections.For example, a model group with URL categorization and prompt injection alert settings is attached to the following security profile for a target AI model. You can attach a security policy as a zone or a DAG:
- For zone-based security, follow the use case on how to Create Traffic Objects for Zone-Based Security using specific clusters to monitor the ingress and east-west traffic. Attach this zone to a security policy rule to enforce policies on the AI traffic sourced from this zone and the traffic objects within this zone.
- For protecting the source AI applications, use Dynamic Address Groups in Policy and reference these DAGs in the security policy rule.
- In the Advanced Settings, under Latency:
- Max Inline Latency: Set the maximum allowed latency for inline threat detection. The latency range is between 1-300 seconds.
- Inline Timeout Action: Specify the action to take if inline
threat detection exceeds the Max Inline Latency:
- Allow
- Alert (Report threats asynchronously)
- Block
- Create.
Panorama
Create an AI security profile to enable AI application protection, AI data
protection, and AI model protections to your security policy rules.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Prerequisite:
Ensure that Panorama `CloudConnector Plugin 2.1.0` can connect to the cloud; refer to
thePanorama onboarding prerequisites for
detailed steps.
- Log in to the Panorama™ management server web interface.
- Select and select Add.
- Enter a Name and a Description.
- In Model Groups, select the default model group or Add a new one for customized protections. See Create Model Groups for Customized Protections.
- In the Advanced Settings, under Latency:
- Max Inline Latency: Set the maximum allowed latency for inline threat detection. The latency range is between 1-300 seconds.
- Inline Timeout Action: Specify the action to take if inline
threat detection exceeds the Max Inline Latency:
- Allow
- Alert (Report threats asynchronously)
- Block
- Select OK.
