Configure URL Filtering Inline ML
Focus
Focus

Configure URL Filtering Inline ML

Table of Contents
End-of-Life (EoL)

Configure URL Filtering Inline ML

Learn how to enable and configure inline ML-based URL filtering for enhanced threat detection and prevention.
To enable your URL Filtering inline ML configuration, attach the URL Filtering profile configured with the inline ML settings to a Security policy rule (see Set Up a Basic Security Policy).
URL Filtering inline ML is not currently supported on the VM-50 or VM50L virtual appliance.
  1. To take advantage of URL Filtering inline ML, you must have an active Advanced URL Filtering or legacy URL Filtering subscription.
    Verify that you have a URL Filtering subscription. To verify subscriptions for which you have currently-active licenses, select
    Device
    Licenses
    and verify that the appropriate licenses display and are not expired. The image below shows the license entry for the legacy URL Filtering subscription.
  2. Create a new or update your existing URL Filtering profiles to use URL Filtering inline ML.
    1. Select an existing
      URL Filtering Profile
      or
      Add
      a new one (
      Objects
      Security Profiles
      URL Filtering
      ).
    2. Select
      Inline ML
      and define a policy
      Action
      for each URL Filtering inline ML model. This enforces the selected policy action on a per model basis. Currently, there are two classification engines available:
      Phishing
      and
      JavaScript Exploit
      , one for each type of malicious webpage content.
      • Block
        —When the firewall detects a website with phishing content, the firewall generates a URL Filtering log entry.
      • Alert
        —The firewall allows access to the website and generates a URL Filtering log entry.
      • Allow
        —The firewall allows access to the website but does not generate a URL Filtering log entry.
    3. Click
      OK
      to exit the URL Filtering Profile dialog, then
      Commit
      your changes.
  3. (Optional)
    Add URL exceptions to your URL Filtering profile if you encounter false-positives. You can add exceptions by specifying an external dynamic list from the URL Filtering profile or by adding a web page entry from the URL Filtering logs.
    • Add an external dynamic list of URL exceptions.
      1. Select
        Objects > Security Profiles > URL Filtering
        .
      2. Select a URL Filtering profile for which you want to exclude specific URLs, then select
        Inline ML
        .
      3. Add
        a pre-existing URL-based external dynamic list. If none is available, create a new external dynamic list.
      4. Click
        OK
        to save the URL Filtering profile and
        Commit
        your changes.
    • Add file exceptions from URL Filtering log entries.
      1. Select
        Monitor > Logs > URL Filtering
        and filter the logs for URL entries with an Inline ML Verdict of
        malicious-javascript
        or
        phishing
        . Select a URL Filtering log for a URL that you wish to create an exception for.
      2. Go to the
        Detailed Log View
        and scroll down to the
        Details
        pane, then select
        Create Exception
        located next to the
        Inline ML Verdict
        .
      3. Select a custom category for the URL exception and click
        OK
        .
      4. The new URL exception can be found in the list to which it was added, under
        Objects > Custom Objects > URL Category
        .
  4. (Optional)
    Verify the status of your firewall’s connectivity to the inline ML cloud service.
    Use the following CLI command on the firewall to view the connection status.
    show mlav cloud-status
    For example:
    show mlav cloud-status MLAV cloud Current cloud server: ml.service.paloaltonetworks.com Cloud connection: connected
    If you are unable to connect to the inline ML cloud service, verify that the following domain is not being blocked: ml.service.paloaltonetworks.com.
To view information about web pages that have been processed using URL Filtering inline ML, Filter the logs (
Monitor > Logs > URL Filtering
) based on
Inline ML Verdict
. Web pages that have been determined to contain threats are categorized with verdicts of either
phishing
or
malicious-javascript
. For example:

Recommended For You