Advanced Threat Prevention Support for Zero-day Exploit Prevention

1. Log in to the PAN-OS web interface.
2. To take advantage of inline cloud analysis of vulnerability exploits, you must have an active Advanced Threat Prevention subscription.
   To verify subscriptions for which you have currently-active licenses, select DeviceLicenses and verify that the appropriate licenses are available and have not expired.

3. Update or create a new Vulnerability Protection Security profile to enable inline cloud analysis.
   1. Select an existing Vulnerability Protection security profile or Add a new one (ObjectsSecurity ProfilesVulnerability Protection).
   2. Select your Vulnerability Protection profile and then go to Inline Cloud Analysis and Enable cloud inline analysis.
   3. Specify an Action to take when a vulnerability exploit is detected using a corresponding analysis engine. There are currently two analysis engines available: SQL Injection and Command Injection.
      • Allow—The request is allowed and no log entry is generated.
      • Alert—The request is allowed and a Threat log entry is generated.
      • Reset-Client—Resets the client-side connection.
      • Reset-Server—Resets the server-side connection.
      • Reset-Both—Resets the connection on both the client and server ends.
   4. Click OK to exit the Vulnerability Protection Profile configuration dialog and Commit your changes.
4. (Optional) Add URL and/or IP address exceptions to your Vulnerability Protection profile if Inline Cloud Analysis produces false-positives. You can add exceptions by specifying an external dynamic list (URL or IP address list types) or an Addresses object.
   1. Add an External Dynamic Lists or [IP] Addresses object exception.
   2. Select Objects > Security Profiles > Vulnerability to return to your Vulnerability Protection profile.
   3. Select a Vulnerability profile for which you want to exclude specific URLs and/or IP addresses and then select Inline Cloud Analysis.
   4. Add an EDL URL or IP Address, depending on the type of exception you want to add, and then select a pre-existing URL or IP address external dynamic list. If none are available, create a new external dynamic list. For IP address exceptions, you can, optionally, select an Addresses object list.
   5. Click OK to save the Vulnerability Protection profile and Commit your changes.
5. Install an updated firewall device certificate used to authenticate to the Advanced Threat Prevention inline cloud analysis service. Repeat for all firewalls enabled for inline cloud analysis.
   If you have already installed an updated firewall device certificate as part of your IoT Security, Device Telemetry, Advanced Threat Prevention, or Advanced URL Filtering onboarding process, this step is not necessary.
6. (Optional) Set the Cloud Content Fully Qualified Domain Name (FQDN) used by the firewall to handle inline cloud analysis service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the closest cloud services server. You can override the automatic server selection by specifying a regional cloud content server that best meets your data residency and performance requirements.
   The Cloud Content FQDN is a globally used resource and affects how other services that rely on this connection sends traffic payloads.
   Verify that the firewall uses the correct Content Cloud FQDN (DeviceSetupContent-IDContent Cloud Setting) for your region and change the FQDN if necessary:

   • US—us.hawkeye.services-edge.paloaltonetworks.com
   • EU—eu.hawkeye.services-edge.paloaltonetworks.com
   • UK—uk.hawkeye.services-edge.paloaltonetworks.com

     The UK-based cloud content FQDN provides Advanced Threat Prevention inline cloud analysis service support by connecting to the backend service located in the EU (eu.hawkeye.services-edge.paloaltonetworks.com).
   • APAC—apac.hawkeye.services-edge.paloaltonetworks.com
7. (Optional) Verify the status of your firewall connectivity to the Advanced Threat Prevention cloud service.
   Use the following CLI command on the firewall to view the connection status.

   show ctd-agent status security-client 

   For example:

   show ctd-agent status security-client
   
   ...
   Security Client AceMlc2(1)
   Current cloud server:          hawkeye.services-edge.paloaltonetworks.com
   Cloud connection:              connected
   ...

   CLI output shortened for brevity.

   If you are unable to connect to the Advanced Threat Prevention cloud service, verify that the cloud content FQDN is not being blocked: hawkeye.services-edge.paloaltonetworks.com. If you specified a regional cloud content server in step 6, enter that FQDN instead.
8. (Optional) Monitor activity on the firewall for vulnerability exploits that have been detected using inline cloud analysis.
   1. Select MonitorLogsThreat and filter by ( category-of-threatid eq inline-cloud-exploit ) to view logs that have been analyzed using the inline cloud analysis mechanism of Advanced Threat Prevention. Inline exploit (SQL injection) threats have an ID of 99950 while inline exploit (command injection) threats have an ID of 99951.

   2. Select a log entry to view the details of a vulnerability exploit.
   3. The threat Category is displayed under the Details pane of the detailed log view. Vulnerability exploits that have been detected using inline cloud analysis have a threat category of inline-cloud-exploit.