Learn how to enable and configure inline ML-based URL
filtering for enhanced threat detection and prevention.
To enable your URL Filtering inline ML configuration,
attach the URL Filtering profile configured with the inline ML settings
to a Security policy rule (see Set Up a Basic Security Policy).
URL
Filtering inline ML is not currently supported on the VM-50 or VM50L
virtual appliance.
To take advantage of URL Filtering inline ML,
you must have an active Advanced URL Filtering or legacy URL Filtering
subscription.
Verify that you have a URL Filtering subscription. To verify
subscriptions for which you have currently-active licenses, select
Device
Licenses
and
verify that the appropriate licenses display and are not expired.
The image below shows the license entry for the legacy URL Filtering
subscription.
Create a new or update your existing URL Filtering profiles
to use URL Filtering inline ML.
Select an existing
URL Filtering Profile
or
Add
a
new one (
Objects
Security
Profiles
URL Filtering
).
Select
Inline ML
and define a policy
Action
for
each URL Filtering inline ML model. This enforces the selected policy
action on a per model basis. Currently, there are two classification
engines available:
Phishing
and
JavaScript
Exploit
, one for each type of malicious webpage content.
Block
—When the firewall detects a website with phishing
content, the firewall generates a URL Filtering log entry.
Alert
—The firewall allows access to the website and
generates a URL Filtering log entry.
Allow
—The firewall allows access to the website but
does not generate a URL Filtering log entry.
Click
OK
to exit the URL Filtering
Profile dialog, then
Commit
your changes.
(Optional)
Add URL exceptions to your URL Filtering
profile if you encounter false-positives. You can add exceptions
by specifying an external dynamic list from the URL Filtering profile
or by adding a web page entry from the URL Filtering logs.
Add an external dynamic list of URL exceptions.
Select
Objects > Security Profiles > URL Filtering
.
Select a URL Filtering profile for which you want to exclude
specific URLs, then select
Inline ML
.
Add
a pre-existing URL-based external
dynamic list. If none is available, create a new external dynamic list.
Click
OK
to save the URL Filtering
profile and
Commit
your changes.
Add file exceptions from URL Filtering log entries.
Select
Monitor
> Logs > URL Filtering
and filter the logs for URL entries
with an Inline ML Verdict of
malicious-javascript
or
phishing
.
Select a URL Filtering log for a URL that you wish to create an
exception for.
Go to the
Detailed Log View
and scroll
down to the
Details
pane, then select
Create
Exception
located next to the
Inline ML Verdict
.
Select a custom category for the URL exception and click
OK
.
The new URL exception can be found in the list to which it
was added, under
Objects > Custom Objects > URL Category
.
(Optional)
Verify the status of your firewall’s
connectivity to the inline ML cloud service.
Use the following CLI command on the firewall to view the
connection status.
show mlav cloud-status
For
example:
show mlav cloud-status
MLAV cloud
Current cloud server: ml.service.paloaltonetworks.com
Cloud connection: connected
If you are unable
to connect to the inline ML cloud service, verify that the following
domain is not being blocked: ml.service.paloaltonetworks.com.
To view information about web pages that have been processed
using URL Filtering inline ML, Filter the logs (
Monitor
> Logs > URL Filtering
) based on
Inline ML
Verdict
. Web pages that have been determined to contain
threats are categorized with verdicts of either