Configure Inline Categorization
Focus
Focus
Advanced URL Filtering

Configure Inline Categorization

Table of Contents

Configure Inline Categorization

Enable inline machine learning-based URL filtering for real-time analysis of web pages.
Where can I use this?
What do I need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access
    usually include
    Advanced URL Filtering
    capabilities.
To enable inline categorization, attach a URL Filtering profile configured with inline categorization settings to a Security policy rule (see Set Up a Basic Security Policy).
URL Filtering local inline categorization is not currently supported on the VM-50 or VM50L virtual appliance.

Cloud Managed

If you’re using Panorama to manage
Prisma Access
:
Toggle over to the
PAN-OS & Panorama
tab and follow the guidance there.
If you’re using
Strata Cloud Manager
, continue here.
  1. Update or create a URL Access Management profile.
    1. Go to
      Manage
      Configuration
      Security Services
      URL Access Management
      .
    2. On the URL Access Management dashboard, select a URL Access Management profile or
      Add Profile
      .
      If you create a new profile, configure settings in the profile, such as site access for URL categories (
      Access Control
      ). Configure URL Filtering (Cloud Management) describes the available settings.
    3. Under
      Advanced URL Inline Categorization
      , select an inline categorization type.
      Both options enable real-time web page analysis and manage URL exceptions.
      • Enable cloud Inline Categorization
        —Enables real-time analysis of URLs by forwarding suspicious web page contents to the cloud for supplemental analysis, using machine learning based detectors that complement the analysis engines used by local inline ML.
      • Enable local Inline Categorization
        —Enables real-time analysis of URL traffic using machine learning models, to detect and prevent malicious phishing variants and JavaScript exploits from entering your network.
      • You can also define URL
        Exceptions
        to exclude specific websites from inline machine learning actions.
    4. Save
      the profile.
  2. Apply the URL Access Management profile to a Security policy rule.
    To activate a URL Access Management profile (and any Security profile), add it to
    profile group
    and reference the profile group in a Security policy rule.

PAN-OS & Panorama

Configure inline categorization based on the PAN-OS version your management interface is running.
In PAN-OS 10.2, the URL Filtering Inline ML feature was renamed to Inline Categorization. As a result, the PAN-OS 10.1 task uses the phrase URL Filtering inline ML while the PAN-OS 10.2 and Later task uses Inline Categorization. For more information, review the URL Filtering Inline ML entry in PAN-OS 10.2 Upgrade/Downgrade Considerations.

PAN-OS 10.1

Configure URL Filtering Inline ML in PAN-OS 10.1.
  1. Verify that you have an active legacy URL filtering or Advanced URL Filtering subscription.
    Select
    Device
    Licenses
    and confirm that a URL filtering license is available and has not expired.
  2. Configure the URL Filtering Inline ML settings in a URL Filtering profile.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      , then
      Add
      or select a URL Filtering profile.
    2. Select
      Inline ML
      and define an
      Action
      for each inline ML model.
      There are two classification engines available for each type of malicious webpage content:
      Phishing
      and
      JavaScript Exploit
      .
      • Block
        —When the firewall detects a website with phishing content, the firewall generates a URL Filtering log entry.
      • Alert
        —The firewall allows access to the website and generates a URL Filtering log entry.
      • Allow
        —The firewall allows access to the website but does not generate a URL Filtering log entry.
    3. Click
      OK
      to save your changes.
    4. Commit
      your changes.
  3. (Optional)
    Add URL exceptions to your URL Filtering profile if you encounter false-positives.
    You can add exceptions by specifying an external dynamic list in the URL Filtering profile or by adding a web page entry from the URL Filtering logs to a custom URL category.
    1. Select
      Objects > Security Profiles > URL Filtering
      .
    2. Select a URL Filtering profile for which you want to exclude specific URLs, then select
      Inline ML
      .
    3. Add
      a pre-existing external dynamic list of URL type. If none is available, create a new external dynamic list.
    4. Click
      OK
      to save your changes.
    5. Commit
      your changes.
    Add file exceptions from URL Filtering log entries.
    1. Select
      Monitor > Logs > URL Filtering
      and filter the logs for URL entries with an Inline ML Verdict of
      malicious-javascript
      or
      phishing
      . Select a URL Filtering log for a URL that you wish to create an exception for.
    2. Go to the
      Detailed Log View
      and scroll down to the
      Details
      pane, then select
      Create Exception
      located next to the
      Inline ML Verdict
      .
    3. Select a custom category for the URL exception, then click
      OK
      .
      The new URL exception can be found in the list to which it was added, under
      Objects > Custom Objects > URL Category
      .
  4. (Optional)
    Verify the status of your firewall’s connectivity to the inline ML cloud service.
    Use the following CLI command on the firewall to view the connection status.
    show mlav cloud-status
    For example:
    show mlav cloud-status MLAV cloud Current cloud server: ml.service.paloaltonetworks.com Cloud connection: connected
    If you are unable to connect to the inline ML cloud service, verify that the ML domain ml.service.paloaltonetworks.com is not blocked.
To view information about web pages that have been processed using URL Filtering inline ML, filter the logs (
Monitor > Logs > URL Filtering
) based on
Inline ML Verdict
. Web pages that have been determined to contain threats are categorized with verdicts of either
phishing
or
malicious-javascript
. For example:

PAN-OS 10.2 and Later

  1. To take advantage of inline categorization, you must have an active Advanced URL Filtering subscription.
    Local inline categorization can be enabled if you are a pre-existing holder of a legacy URL Filtering subscription.
    Verify that you have an Advanced URL Filtering subscription. To verify subscriptions for which you have currently-active licenses, select
    Device
    Licenses
    and verify that the appropriate licenses are available and have not expired.
  2. Update or create a new URL Filtering profile to enable cloud inline categorization.
    The policy action used by local and cloud inline categorization is dependent on the configured settings under the
    Categories
    tab.
    1. Select an existing
      URL Filtering Profile
      or
      Add
      a new one (
      Objects
      Security Profiles
      URL Filtering
      ).
    2. Select your URL Filtering profile and then go to
      Inline Categorization
      and enable the inline categorization methods you want to deploy.
      • Enable cloud inline categorization
        —A cloud-based inline deep learning engine that analyzes suspicious web page content in real-time to protect users against zero-day web attacks, including targeted phishing attacks, and other web-based attacks that use advanced evasion techniques.
      • Enable local inline categorization
        —A firewall-based detection engine using machine learning techniques to prevent malicious variants of JavaScript exploits and phishing attacks embedded in webpages.
    3. Click
      OK
      and
      Commit
      your changes.
  3. (Optional)
    Add URL exceptions to your URL Filtering profile if you encounter false-positives. You can add exceptions by specifying an external dynamic list or custom URL category list in the URL Filtering profile. The specified exceptions apply to both cloud and local inline categorization.
    URL exceptions created through other mechanisms that add entries to the custom URL category (
    Objects
    Custom Objects
    URL Category
    )
    can also function as exceptions for inline categorization.
    1. Select
      Objects > Security Profiles > URL Filtering
      .
    2. Select a URL Filtering profile for which you want to exclude specific URLs, then select
      Inline Categorization
      .
    3. Click
      Add
      to select a pre-existing URL-based external dynamic list or custom URL category. If none is available, create a new external dynamic list or custom URL category, respectively.
    4. Click
      OK
      to save the URL Filtering profile and
      Commit
      your changes.
  4. (Optional)
    Set the Cloud Content Fully Qualified Domain Name (FQDN) used by the firewall to handle inline categorization service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the closest cloud services server. You can override the automatic server selection by specifying a regional cloud content server that best meets your data residency and performance requirements.
    The Cloud Content FQDN is a globally used resource and affects how other services that rely on this connection sends traffic payloads.
    Verify that the firewall uses the correct Content Cloud FQDN (
    Device
    Setup
    Content-ID
    Content Cloud Setting
    ) for your region and change the FQDN if necessary:
    • US—
      us.hawkeye.services-edge.paloaltonetworks.com
    • EU—
      eu.hawkeye.services-edge.paloaltonetworks.com
    • UK—
      uk.hawkeye.services-edge.paloaltonetworks.com
      The UK-based cloud content FQDN provides Advanced URL Filtering inline categorization service support by connecting to the backend service located in the EU (eu.hawkeye.services-edge.paloaltonetworks.com).
    • APAC—
      apac.hawkeye.services-edge.paloaltonetworks.com
  5. (Optional)
    Verify the status of your firewall’s connectivity to the inline categorization servers.
    1. The ml.service.paloaltonetworks.com server provides periodic updates for firewall-based components related to the operation of cloud and local inline categorization.
      Use the following CLI command on the firewall to view the connection status.
      show mlav cloud-status
      For example:
      show mlav cloud-status MLAV cloud Current cloud server: ml.service.paloaltonetworks.com Cloud connection: connected
      If you are unable to connect to the inline ML cloud service, verify that the following domain is not being blocked: ml.service.paloaltonetworks.com.
    2. The hawkeye.services-edge.paloaltonetworks.com server is used by cloud inline categorization to handle service requests.
      Use the following CLI command on the firewall to view the connection status.
      show ctd-agent status security-client
      For example:
      show ctd-agent status security-client ... Security Client AceMlc2(1) Current cloud server: hawkeye.services-edge.paloaltonetworks.com Cloud connection: connected ...
      CLI output shortened for brevity.
      If you are unable to connect to the Advanced URL Filtering cloud service, verify that the following domain is not being blocked: hawkeye.services-edge.paloaltonetworks.com.

Recommended For You