Prisma AIRS adds support for custom error response for the AI Runtime firewall when it detects AI-related threats. Currently, when the firewall detects a threat in an AI prompt (request or response) it drops the packet and sends a TCP reset. This functionality creates a problem where the application (the prompt generator) cannot distinguish between a security block and a generic network failure, leading to unnecessary retries that degrade the user experience.

To resolve this issue, the custom error response:

• Provides a unique identifier. Rather than a generic network drop, the firewall sends a unique custom response that informs the sender exactly why the prompt was blocked.
• Stops unnecessary retries. The response includes a native HTTP response code which will prevent transport layer retries, saving time and resources.
• Provides detailed threat reporting. The response provides specific details regarding the detected threat.
• Integrates with Strata Logging Service. The response includes a unique ID that allows you to cross-reference Strata Logging Service (SLS) logs for real-time updates.

You can configure custom error responses using Panorama or Strata Cloud Manager (SCM). Both allow you to dynamically enable or disable the custom response via a new binary toggle in the AI Security profile’s Advanced Settings. The feature is designed to require minimal changes to the application workload to process new responses.