Configure URL Filtering Inline ML

To enable your URL Filtering inline ML configuration, attach the URL Filtering profile configured with the inline ML settings to a security policy rule (see Set Up a Basic Security Policy).
URL Filtering inline ML is not currently supported on the VM-50 or VM50L virtual appliance.
  1. To take advantage of URL Filtering inline ML, you must have an active PAN-DB URL filtering subscription to analyze webpages for JavaScript and phishing threats.
    Verify that you have a PAN-DB URL Filtering subscription. To verify subscriptions for which you have currently-active licenses, select
    Device
    Licenses
    and verify that the appropriate licenses display and are not expired.
    threat-prevention-url-filtering-subscriptions.png
  2. Create a new or update your existing URL Filtering Security profiles to use URL Filtering inline ML.
    1. Select an existing
      URL Filtering Profile
      or
      Add
      a new one (
      Objects
      Security Profiles
      URL Filtering
      .
    2. Select
      Inline ML
      and define a policy
      Action
      for each URL Filtering inline ML model. This enforces the selected policy action on a per model basis. Currently, there are two classification engines available:
      Phishing
      and
      JavaScript Exploit
      , one for each type of malicious webpage content.
      • Block
        —The firewall blocks the website and the user will not be able to continue to the website. The firewall also generates a URL Filtering log entry.
      • Alert
        —The firewall allows access to the website but also generates a URL Filtering log entry.
      • Allow
        —The firewall allows access to the website does not generate a URL Filtering log entry.
        url-filtering-inline-ml-policy.png
    3. Click
      OK
      to exit the URL Filtering Profile configuration dialog and
      Commit
      your changes.
  3. (Optional)
    Add URL exceptions to your URL Filtering security profile if you encounter false-positives. You can add exceptions by specifying an EDL from the URL Filtering profile or by adding a web page entry from the URL Filtering logs.
    • Add an EDL URL exception list.
      1. Select
        Objects > Security Profiles > URL Filtering
        .
      2. Select a URL Filtering profile for which you want to exclude specific URLs and then select
        Inline ML
        .
      3. Click
        Add
        to select a pre-existing URL-based external dynamic list. If none is available, create a new external dynamic list.
        dynamic-classification-url-filtering-exception.png
      4. Click
        OK
        to save the URL Filtering profile and
        Commit
        your changes.
    • Add file exceptions from URL Filtering log entries.
      1. Select
        Monitor > Logs > URL Filtering
        and filter the logs for URL entries with an Inline ML Verdict of
        malicious-javascript
        or
        phishing
        . Select a URL Filtering log for a URL that you wish to create an exception for.
      2. Go to the
        Detailed Log View
        and scroll down to the
        Details
        pane then select
        Create Exception
        located next to the
        Inline ML Verdict
        .
        url-filtering-ml-javascript-create-exception.png
      3. Select a custom category for the URL exception and click
        OK
        .
      4. The new URL exception can be found in the list to which it was added, under
        Objects > Custom Objects > URL Category
        .
  4. (Optional)
    Verify the status of your firewall’s connectivity to the inline ML cloud service.
    Use the following CLI command on the firewall to view the connection status.
    show mlav cloud-status
    For example:
    show mlav cloud-status MLAV cloud Current cloud server: ml.service.paloaltonetworks.com Cloud connection: connected
    If you are unable to connect to the inline ML cloud service, verify that the following domain is not being blocked: ml.service.paloaltonetworks.com.
To view information about web pages that have been processed using URL Filtering inline ML, Filter the logs (
Monitor > Logs > URL Filtering
) based on
Inline ML Verdict
. Web pages that have been determined to contain threats are categorized with verdicts of either
phishing
or
malicious-javascript
. For example:
url-filtering-ml-javascript-log-details.png

Recommended For You