Configure Inline Categorization (PAN-OS 10.1)

1. Log in to the PAN-OS web interface.
2. Verify that you have an active legacy URL filtering or Advanced URL Filtering subscription.

   Select DeviceLicenses and confirm that a URL filtering license is available and has not expired.

3. Configure the URL Filtering Inline ML settings in a URL Filtering profile.

   1. Select ObjectsSecurity ProfilesURL Filtering, then Add or select a URL Filtering profile.
   2. Select Inline ML and define an Action for each inline ML model.

      There are two classification engines available for each type of malicious webpage content: Phishing and JavaScript Exploit.

      • Block—When the firewall detects a website with phishing content, the firewall generates a URL Filtering log entry.
      • Alert—The firewall allows access to the website and generates a URL Filtering log entry.
      • Allow—The firewall allows access to the website but does not generate a URL Filtering log entry.

   3. Click OK to save your changes.
   4. Commit your changes.
4. (Optional) Add URL exceptions to your URL Filtering profile if you encounter false-positives.

   You can add exceptions by specifying an external dynamic list in the URL Filtering profile or by adding a web page entry from the URL Filtering logs to a custom URL category.

   1. Select Objects > Security Profiles > URL Filtering.
   2. Select a URL Filtering profile for which you want to exclude specific URLs, then select Inline ML.
   3. Add a pre-existing external dynamic list of URL type. If none is available, create a new external dynamic list.
   4. Click OK to save your changes.
   5. Commit your changes.

   Add file exceptions from URL Filtering log entries.

   1. Select Monitor > Logs > URL Filtering and filter the logs for URL entries with an Inline ML Verdict of malicious-javascript or phishing. Select a URL Filtering log for a URL that you wish to create an exception for.
   2. Go to the Detailed Log View and scroll down to the Details pane, then select Create Exception located next to the Inline ML Verdict.
   3. Select a custom category for the URL exception, then click OK.

      The new URL exception can be found in the list to which it was added, under Objects > Custom Objects > URL Category.
5. (Optional) Verify the status of your firewall’s connectivity to the inline ML cloud service.

   Use the following CLI command on the firewall to view the connection status.

   show mlav cloud-status 

   For example:

   show mlav cloud-status
   
   MLAV cloud
   Current cloud server:          ml.service.paloaltonetworks.com
   Cloud connection:              connected

   If you are unable to connect to the inline ML cloud service, verify that the ML domain ml.service.paloaltonetworks.com is not blocked.
6. Test your URL filtering deployment.

To view information about web pages that have been processed using URL Filtering inline ML, filter the logs (Monitor > Logs > URL Filtering) based on Inline ML Verdict. Web pages that have been determined to contain threats are categorized with verdicts of either phishing or malicious-javascript. For example: