Advanced URL Filtering
Configure Inline Categorization
Table of Contents
Configure Inline Categorization
Enable inline machine learning-based URL filtering for
real-time analysis of web pages.
Where can I use
this? | What do I need? |
---|---|
|
Notes:
|
To enable inline categorization, attach a URL
Filtering profile configured with inline categorization settings
to a Security policy rule (see Set Up a Basic Security Policy).
URL
Filtering local inline categorization is not currently supported on
the VM-50 or VM50L virtual appliance.
Configure Inline Categorization (Strata Cloud Manager)
Strata Cloud Manager
)If you’re using Panorama to manage
Prisma Access
:Toggle over to the
PAN-OS & Panorama
tab and follow the guidance
there.If you’re using
Strata Cloud Manager
, continue here.- Update or create a URL Access Management profile.
- Go to.ManageConfigurationSecurity ServicesURL Access Management
- On the URL Access Management dashboard, select a URL Access Management profile orAdd Profile.If you create a new profile, configure settings in the profile, such as site access for URL categories (Access Control). Configure URL Filtering (Cloud Management) describes the available settings.
- UnderAdvanced URL Inline Categorization, select an inline categorization type.Both options enable real-time web page analysis and manage URL exceptions.
- Enable cloud Inline Categorization—Enables real-time analysis of URLs by forwarding suspicious web page contents to the cloud for supplemental analysis, using machine learning based detectors that complement the analysis engines used by local inline ML.
- Enable local Inline Categorization—Enables real-time analysis of URL traffic using machine learning models, to detect and prevent malicious phishing variants and JavaScript exploits from entering your network.
- You can also define URLExceptionsto exclude specific websites from inline machine learning actions.
- Savethe profile.
- Apply the URL Access Management profile to a Security policy rule.To activate a URL Access Management profile (and any Security profile), add it toprofile groupand reference the profile group in a Security policy rule.
Configure Inline Categorization (PAN-OS & Panorama)
PAN-OS
& Panorama
)Configure inline categorization based on the PAN-OS version your management interface
is running.
In PAN-OS 10.2, the URL Filtering Inline ML feature was renamed
to Inline Categorization. As a result, the PAN-OS 10.1 task uses the phrase URL
Filtering inline ML while the PAN-OS 10.2 and Later task uses Inline Categorization. For
more information, review the URL Filtering Inline ML entry in PAN-OS 10.2 Upgrade/Downgrade
Considerations.
Configure Inline Categorization (PAN-OS 10.1)
Configure URL Filtering Inline ML in PAN-OS 10.1.
- Verify that you have an active legacy URL filtering or Advanced URL Filtering subscription.Selectand confirm that a URL filtering license is available and has not expired.DeviceLicenses
- Configure the URL Filtering Inline ML settings in a URL Filtering profile.
- Select, thenObjectsSecurity ProfilesURL FilteringAddor select a URL Filtering profile.
- SelectInline MLand define anActionfor each inline ML model.There are two classification engines available for each type of malicious webpage content:PhishingandJavaScript Exploit.
- Block—When the firewall detects a website with phishing content, the firewall generates a URL Filtering log entry.
- Alert—The firewall allows access to the website and generates a URL Filtering log entry.
- Allow—The firewall allows access to the website but does not generate a URL Filtering log entry.
- ClickOKto save your changes.
- Commityour changes.
- (Optional)Add URL exceptions to your URL Filtering profile if you encounter false-positives.You can add exceptions by specifying an external dynamic list in the URL Filtering profile or by adding a web page entry from the URL Filtering logs to a custom URL category.
- SelectObjects > Security Profiles > URL Filtering.
- Select a URL Filtering profile for which you want to exclude specific URLs, then selectInline ML.
- Adda pre-existing external dynamic list of URL type. If none is available, create a new external dynamic list.
- ClickOKto save your changes.
- Commityour changes.
Add file exceptions from URL Filtering log entries.- SelectMonitor > Logs > URL Filteringand filter the logs for URL entries with an Inline ML Verdict ofmalicious-javascriptorphishing. Select a URL Filtering log for a URL that you wish to create an exception for.
- Go to theDetailed Log Viewand scroll down to theDetailspane, then selectCreate Exceptionlocated next to theInline ML Verdict.
- Select a custom category for the URL exception, then clickOK.The new URL exception can be found in the list to which it was added, underObjects > Custom Objects > URL Category.
- (Optional)Verify the status of your firewall’s connectivity to the inline ML cloud service.Use the following CLI command on the firewall to view the connection status.show mlav cloud-statusFor example:show mlav cloud-status MLAV cloud Current cloud server: ml.service.paloaltonetworks.com Cloud connection: connectedIf you are unable to connect to the inline ML cloud service, verify that the ML domain ml.service.paloaltonetworks.com is not blocked.
To view information about web pages that have been
processed using URL Filtering inline ML, filter the logs (
Monitor > Logs >
URL Filtering
) based on Inline ML Verdict
. Web
pages that have been determined to contain threats are categorized with verdicts of
either phishing
or malicious-javascript
.
For example:Configure Inline Categorization (PAN-OS 10.2 & Later)
- To take advantage of inline categorization, you must have an active Advanced URL Filtering subscription.Local inline categorization can be enabled if you are a pre-existing holder of a legacy URL Filtering subscription.Verify that you have an Advanced URL Filtering subscription. To verify subscriptions for which you have currently-active licenses, selectand verify that the appropriate licenses are available and have not expired.DeviceLicenses
- Update or create a new URL Filtering profile to enable cloud inline categorization.The policy action used by local and cloud inline categorization is dependent on the configured settings under theCategoriestab.
- Select an existingURL Filtering ProfileorAdda new one ().ObjectsSecurity ProfilesURL Filtering
- Select your URL Filtering profile and then go toInline Categorizationand enable the inline categorization methods you want to deploy.
- Enable cloud inline categorization—A cloud-based inline deep learning engine that analyzes suspicious web page content in real-time to protect users against zero-day web attacks, including targeted phishing attacks, and other web-based attacks that use advanced evasion techniques.
- Enable local inline categorization—A firewall-based detection engine using machine learning techniques to prevent malicious variants of JavaScript exploits and phishing attacks embedded in webpages.
- ClickOKandCommityour changes.
- (Optional)Add URL exceptions to your URL Filtering profile if you encounter false-positives. You can add exceptions by specifying an external dynamic list or custom URL category list in the URL Filtering profile. The specified exceptions apply to both cloud and local inline categorization.can also function as exceptions for inline categorization.URL exceptions created through other mechanisms that add entries to the custom URL category ()ObjectsCustom ObjectsURL Category
- SelectObjects > Security Profiles > URL Filtering.
- Select a URL Filtering profile for which you want to exclude specific URLs, then selectInline Categorization.
- ClickAddto select a pre-existing URL-based external dynamic list or custom URL category. If none is available, create a new external dynamic list or custom URL category, respectively.
- ClickOKto save the URL Filtering profile andCommityour changes.
- (Required when the firewall is deployed with an explicit proxy server)Configure the proxy server used to access the servers that facilitate requests generated by all configured inline cloud analysis features. A single proxy server can be specified and applies to all Palo Alto Networks update services, including all configured inline cloud and logging services.
- (PAN-OS 11.2.3 and later)Configure the proxy server through PAN-OS.
- Selectand edit theDeviceSetupServicesServicesdetails.
- Specify theProxy Serversettings andEnable proxy for Inline Cloud Services. You can provide either an IP address or FQDN in theServerfield.The proxy server password must contain a minimum of six characters.
- ClickOK.
- (PAN-OS 10.2.11 and later)Configure the proxy server through the firewall CLI.
- Configure the base proxy server settings using the following CLI commands:set deviceconfig system secure-proxy-server <FQDN_or_IP> set deviceconfig system secure-proxy-port <1-65535> set deviceconfig system secure-proxy-user <value> set deviceconfig system secure-proxy-password <value>The proxy server password must contain a minimum of six characters.
- Enable the proxy server to send requests to the inline cloud service servers using the following CLI command:debug dataplane mica set inline-cloud-proxy enable
- View the current operational status of proxy support for inline cloud services using the following CLI command:debug dataplane mica show inline-cloud-proxyFor example:debug dataplane mica show inline-cloud-proxy Proxy for Advanced Services is Disabled
- (Optional)Set the Cloud Content Fully Qualified Domain Name (FQDN) used by the firewall to handle inline categorization service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the closest cloud services server. You can override the automatic server selection by specifying a regional cloud content server that best meets your data residency and performance requirements.The Cloud Content FQDN is a globally used resource and affects how other services that rely on this connection sends traffic payloads.Verify that the firewall uses the correct Content Cloud FQDN () for your region and change the FQDN if necessary:DeviceSetupContent-IDContent Cloud Setting
- US—us.hawkeye.services-edge.paloaltonetworks.com
- EU—eu.hawkeye.services-edge.paloaltonetworks.com
- UK—uk.hawkeye.services-edge.paloaltonetworks.comThe UK-based cloud content FQDN provides Advanced URL Filtering inline categorization service support by connecting to the backend service located in the EU (eu.hawkeye.services-edge.paloaltonetworks.com).
- APAC—apac.hawkeye.services-edge.paloaltonetworks.com
- (Optional)Verify the status of your firewall’s connectivity to the inline categorization servers.
- The ml.service.paloaltonetworks.com server provides periodic updates for firewall-based components related to the operation of cloud and local inline categorization.Use the following CLI command on the firewall to view the connection status.show mlav cloud-statusFor example:show mlav cloud-status MLAV cloud Current cloud server: ml.service.paloaltonetworks.com Cloud connection: connectedIf you are unable to connect to the inline ML cloud service, verify that the following domain is not being blocked: ml.service.paloaltonetworks.com.
- The hawkeye.services-edge.paloaltonetworks.com server is used by cloud inline categorization to handle service requests.Use the following CLI command on the firewall to view the connection status.show ctd-agent status security-clientFor example:show ctd-agent status security-client ... Security Client AceMlc2(1) Current cloud server: hawkeye.services-edge.paloaltonetworks.com Cloud connection: connected ...CLI output shortened for brevity.If you are unable to connect to the Advanced URL Filtering cloud service, verify that the following domain is not being blocked: hawkeye.services-edge.paloaltonetworks.com.
- Install an updated firewall device certificate used to authenticate to the Advanced URL Filtering cloud service. Repeat for all firewalls enabled for cloud inline categorization.