>
    Configure Inline Cloud Analysis
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced Threat Prevention
    3. Configure Threat Prevention
    4. Configure Inline Cloud Analysis
    Download PDF
    Advanced Threat Prevention

    Configure Inline Cloud Analysis

    Table of Contents

    Configure Inline Cloud Analysis

    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS or Panorama Managed)
    • VM-Series
    • CN-Series
    • Advanced Threat Prevention or Threat Prevention License
    Inline Cloud Analysis is an Advanced Threat Prevention feature that enables the detection of advanced, highly-evasive zero-day command-and-control (C2) threats and command injection and SQL injection vulnerabilities in real-time. Inline Cloud Analysis protection is delivered through your Anti-Spyware and Vulnerability Protection security profiles, with advanced C2 (command-and-control) and spyware threats handled by the former, and command injection and SQL injection vulnerabilities by the latter.
    To enable and configure Inline Cloud Analysis, you must activate your Advanced Threat Prevention license and create (or modify) the Anti-Spyware and Vulnerability Protection security profile. Then configure the policy settings for each category analysis engine and then attach the profiles to a security policy rule.

    Cloud Management

    1. To take advantage of inline cloud analysis, you must have an active
      Prisma Access
       subscription, which provides access to Advanced Threat Prevention features. For information about the applications and services offered with
      Prisma Access
      , refer to All Available Apps and Services.
      To verify subscriptions for which you have currently-active licenses, Check What’s Supported With Your License.
    2. Use the credentials associated with your Palo Alto Networks support account and log in to the
      Strata Cloud Manager
       on the hub.
    3. Update or create a new Anti-Spyware Security profile to enable inline cloud analysis (to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time).
      1. Select
        Manage
        Configuration
        NGFW and
        Prisma Access
        Security Services
        Anti-Spyware
        .
      2. Select your Anti-Spyware security profile and then go to
        Inline Cloud Analysis
         panel and
        Enable Inline Cloud Analysis
        .
      3. Specify an
        Action
         to take when a threat is detected using a corresponding analysis engine.
        The default action for each analysis engine is
        alert
        , however, Palo Alto Networks recommends setting all actions to
        Reset-Both
         for the best security posture.
        • Allow
          —The request is allowed and no log entry is generated.
        • Alert
          —The request is allowed and a Threat log entry is generated.
        • Drop
          —Drops the request; a reset action is not sent to the host/application.
        • Reset-Client
          —Resets the client-side connection.
        • Reset-Server
          —Resets the server-side connection.
        • Reset-Both
          —Resets the connection on both the client and server ends.
      4. Click
        OK
         to exit the Anti-Spyware Profile configuration dialog and
        Commit
         your changes.
    4. (Optional)
       Add URL and/or IP address exceptions to your Anti-Spyware profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or an
      Addresses
       policy object.
      1. Add an
        External Dynamic Lists
         or [IP]
        Addresses
         object exception.
      2. Select
        Manage
        Configuration
        Anti-Spyware
        .
      3. Select an Anti-Spyware profile for which you want to exclude specific URLs and/or IP addresses and then go to the
        Inline Cloud Analysis
         pane.
      4. Add EDL/URL
         or
        Add IP Address
        , depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list policy object. For IP address exceptions, you can, optionally, select an
        Addresses
         object list.
      5. Click
        OK
         to save the Anti-Spyware profile and
        Commit
         your changes.
    5. Update or create a new Vulnerability Protection Security profile to enable inline cloud analysis (to analyze traffic for command injection and SQL injection vulnerabilities in real-time).
      1. Select an existing Vulnerability Protection security profile or
        Add Profile
         (
        Manage
        Configuration
        Vulnerability Protection
        ).
      2. Select your Vulnerability Protection profile and then go to
        Inline Cloud Analysis
         and
        Enable inline cloud analysis
        .
      3. Specify an
        Action
         to take when a vulnerability exploit is detected using a corresponding analysis engine. There are currently two analysis engines available:
        SQL Injection
         and
        Command Injection
        .
        • Allow
          —The request is allowed and no log entry is generated.
        • Alert
          —The request is allowed and a Threat log entry is generated.
        • Reset-Client
          —Resets the client-side connection.
        • Reset-Server
          —Resets the server-side connection.
        • Reset-Both
          —Resets the connection on both the client and server ends.
      4. Click
        OK
         to exit the Vulnerability Protection Profile configuration dialog and
        Commit
         your changes.
    6. (Optional)
       Add URL and/or IP address exceptions to your Vulnerability Protection profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or an
      Addresses
       object.
      1. Add an
        External Dynamic Lists
         or [IP]
        Addresses
         object exception.
      2. Select
        Objects > Security Profiles > Vulnerability
         to return to your Vulnerability Protection profile.
      3. Select a Vulnerability profile for which you want to exclude specific URLs and/or IP addresses and then select
        Inline Cloud Analysis
        .
      4. Add
         an
        EDL URL
         or
        IP Address
        , depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list. For IP address exceptions, you can, optionally, select an
        Addresses
         object list.
      5. Click
        OK
         to save the Vulnerability Protection profile and commit your changes.

    PAN-OS 10.2 and Later

    Inline Cloud Analysis is available on firewalls running PAN-OS 10.2 and later.
    2. To take advantage of inline cloud analysis, you must have an active Advanced Threat Prevention subscription.
      To verify subscriptions for which you have currently-active licenses, select
      Device
      Licenses
       and verify that the appropriate licenses are available and have not expired.
    3. Update or create a new Anti-Spyware Security profile to enable inline cloud analysis (to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time).
      1. Select an existing
        Anti-Spyware Profile
         or
        Add
         a new one (
        Objects
        Security Profiles
        Anti-Spyware
        ).
      2. Select your Anti-Spyware profile and then go to
        Inline Cloud Analysis
         and
        Enable inline cloud analysis
        .
      3. Specify an
        Action
         to take when a threat is detected using a corresponding analysis engine.
        The default action for each analysis engine is
        alert
        , however, Palo Alto Networks recommends setting all actions to
        Reset-Both
         for the best security posture.
        • Allow
          —The request is allowed and no log entry is generated.
        • Alert
          —The request is allowed and a Threat log entry is generated.
        • Drop
          —Drops the request; a reset action is not sent to the host/application.
        • Reset-Client
          —Resets the client-side connection.
        • Reset-Server
          —Resets the server-side connection.
        • Reset-Both
          —Resets the connection on both the client and server ends.
      4. Click
        OK
         to exit the Anti-Spyware Profile configuration dialog and
        Commit
         your changes.
    4. (Optional)
       Add URL and/or IP address exceptions to your Anti-Spyware profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or an
      Addresses
       object.
      1. Add an
        External Dynamic Lists
         or [IP]
        Addresses
         object exception.
      2. Select
        Objects > Security Profiles > Anti-Spyware
        .
      3. Select an Anti-Spyware profile for which you want to exclude specific URLs and/or IP addresses and then select
        Inline Cloud Analysis
        .
      4. Add
         an
        EDL URL
         or
        IP Address
        , depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list. For IP address exceptions, you can, optionally, select an
        Addresses
         object list.
      5. Click
        OK
         to save the Anti-Spyware profile and
        Commit
         your changes.
    5. Update or create a new Vulnerability Protection Security profile to enable inline cloud analysis (to analyze traffic for command injection and SQL injection vulnerabilities in real-time).
      Currently available only in PAN-OS 11.0.
      1. Select an existing Vulnerability Protection security profile or
        Add
         a new one (
        Objects
        Security Profiles
        Vulnerability Protection
        ).
      2. Select your Vulnerability Protection profile and then go to
        Inline Cloud Analysis
         and
        Enable cloud inline analysis
        .
      3. Specify an
        Action
         to take when a vulnerability exploit is detected using a corresponding analysis engine. There are currently two analysis engines available:
        SQL Injection
         and
        Command Injection
        .
        • Allow
          —The request is allowed and no log entry is generated.
        • Alert
          —The request is allowed and a Threat log entry is generated.
        • Reset-Client
          —Resets the client-side connection.
        • Reset-Server
          —Resets the server-side connection.
        • Reset-Both
          —Resets the connection on both the client and server ends.
      4. Click
        OK
         to exit the Vulnerability Protection Profile configuration dialog and
        Commit
         your changes.
    6. (Optional)
       Add URL and/or IP address exceptions to your Vulnerability Protection profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or an
      Addresses
       object.
      1. Add an
        External Dynamic Lists
         or [IP]
        Addresses
         object exception.
      2. Select
        Objects > Security Profiles > Vulnerability
         to return to your Vulnerability Protection profile.
      3. Select a Vulnerability profile for which you want to exclude specific URLs and/or IP addresses and then select
        Inline Cloud Analysis
        .
      4. Add
         an
        EDL URL
         or
        IP Address
        , depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list. For IP address exceptions, you can, optionally, select an
        Addresses
         object list.
      5. Click
        OK
         to save the Vulnerability Protection profile and
        Commit
         your changes.
    7. Configure the timeout latency and action to take when the request exceeds the max latency.
      1. Select
        Device
        Setup
        Content-ID
        Threat Prevention Inline Cloud Analysis
        .
      2. Specify the timeout value and the associated action to take when latency limits are reached for Inline Cloud Analysis requests:
        • Max Latency (ms)—Specify the maximum acceptable processing time, in seconds, for Inline Cloud Analysis to return a result.
        • Allow on Max Latency—Enables the firewall to take the action of allow, when the maximum latency is reached. De-selecting this option sets the firewall action to block.
        • Log Traffic Not Scanned— Enables the firewall to log traffic requests that exhibit anomalous traits indicating the presence of advanced and evasive command-and-control (C2) threats, but have not been processed by Threat Prevention Inline Cloud analyzers.
      3. Click
        OK
         to confirm your changes.
    8. Install a Device Certificate Repeat for all firewalls enabled for inline cloud analysis.
    9. (Optional)
       Set the Cloud Content Fully Qualified Domain Name (FQDN) used by the firewall to handle inline cloud analysis service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the closest cloud services server. You can override the automatic server selection by specifying a regional cloud content server that best meets your data residency and performance requirements.
      The Cloud Content FQDN is a globally used resource and affects how other services that rely on this connection sends traffic payloads.
      Verify that the firewall uses the correct Content Cloud FQDN (
      Device
      Setup
      Content-ID
      Content Cloud Setting
      ) for your region and change the FQDN if necessary:
      If your NGFW is configured inline to facilitate a SaaS Security deployment, please note that the FQDNs located in France and Japan do not currently support SaaS Security functionality.
      • US Central (Iowa, US)—
        us.hawkeye.services-edge.paloaltonetworks.com
      • Europe (Frankfurt, Germany)—
        eu.hawkeye.services-edge.paloaltonetworks.com
      • APAC (Singapore)—
        apac.hawkeye.services-edge.paloaltonetworks.com
      • India (Mumbai)—
        in.hawkeye.services-edge.paloaltonetworks.com
      • UK (London, England)—
        uk.hawkeye.services-edge.paloaltonetworks.com
      • France (Paris, France)—
        fr.hawkeye.services-edge.paloaltonetworks.com
      • Japan (Tokyo, Japan)—
        jp.hawkeye.services-edge.paloaltonetworks.com
      • Australia (Sydney, Australia)—
        au.hawkeye.services-edge.paloaltonetworks.com
      • Canada (Montréal, Canada)—
        ca.hawkeye.services-edge.paloaltonetworks.com
      • Switzerland (Zürich, Switzerland)—
        ch.hawkeye.services-edge.paloaltonetworks.com
    10. (Optional)
       Verify the status of your firewall connectivity to the Advanced Threat Prevention cloud service.
      Use the following CLI command on the firewall to view the connection status.
      show ctd-agent status security-client
      For example:
      show ctd-agent status security-client

...
Security Client AceMlc2(1)
Current cloud server:          hawkeye.services-edge.paloaltonetworks.com
Cloud connection:              connected
...
      CLI output shortened for brevity.
      If you are unable to connect to the Advanced Threat Prevention cloud service, verify that the following domain is not being blocked: hawkeye.services-edge.paloaltonetworks.com.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.