Advanced Threat Prevention: Inline Cloud Analysis

Palo Alto Networks now operates a series of ML-based detection engines in the Advanced Threat Prevention cloud to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources. The cloud-based detection engine logic is continuously monitored and updated using C2 traffic datasets from WildFire, with additional support through manual updates by Palo Alto Networks threat researchers, who provide human intervention for highly accurized detection enhancements. Inline cloud analysis supports five analysis engines for C2-based threats over HTTP, HTTP2, SSL, unknown-UDP, and unknown-TCP. Additional analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no firewall update. Inline cloud analysis is enabled and configured using the anti-spyware profile and requires an active Advanced Threat Prevention license.
  1. To take advantage of inline categorization, you must have an active Advanced Threat Prevention subscription.
    To verify subscriptions for which you have currently-active licenses, select
    and verify that the appropriate licenses are available and have not expired.
  2. Update or create a new Anti-Spyware Security profile to enable inline cloud analysis.
    1. Select an existing
      Anti-Spyware Profile
      a new one (
      Security Profiles
    2. Select your Anti-Spyware profile and then go to
      Inline Cloud Analysis
      Enable inline cloud analysis
    3. Specify an
      to take when a threat is detected using a corresponding analysis engine. The following options are available:
      The default action for each analysis engine is
      • Allow
        —The request is allowed and no log entry is generated.
      • Alert
        —The request is allowed and a Threat log entry is generated.
      • Drop
        —Drops the request; a reset action is not sent to the host/application.
      • Reset-Client
        —Resets the client-side connection.
      • Reset-Server
        —Resets the server-side connection.
      • Reset-Both
        —Resets the connection on both the client and server ends.
    4. Click
      to exit the Anti-Spyware Profile configuration dialog and
      your changes.
For additional information about configuring inline Cloud Analysis, including adding exceptions, verifying connectivity to the service, and monitoring details, refer to Configure Inline Cloud Analysis.

Recommended For You