WildFire Inline ML
Table of Contents
WildFire Inline ML
WildFire inline ML prevents malicious content in real-time
using machine learning on the firewall.
You can now prevent malicious variants of
portable executables and PowerShell scripts from entering your network
in real-time using machine learning (ML) on the firewall dataplane.
By utilizing WildFire
®
Cloud analysis technology on the
firewall, WildFire Inline ML dynamically
detects malicious files of a specific type by evaluating various
file details, including decoder fields and patterns, to formulate
a high probability classification of a file. This protection extends
to currently unknown as well as future variants of threats that
match characteristics that Palo Alto Networks identified as malicious.
WildFire inline ML complements your existing Antivirus profile protection
configuration and requires an active WildFire subscription. Additionally,
you can specify file hash exceptions to exclude any false-positives
that you encounter, which enables you to create more granular rules
in your profiles to support your specific security needs.WildFire
inline ML is not supported on the VM-50 or VM50L virtual appliance.
- To take advantage of WildFire inline ML, you must have an active WildFire subscription to analyze Windows executables.Verify that you have a WildFire subscription. To verify subscriptions for which you have currently-active licenses, select and verify that the appropriate licenses display and are not expired.
- Create a new or update your existing Antivirus Security profiles to use the real-time WildFire analysis classification engine.
- Select an existingAntivirus ProfileorAdda new one (Objects > Security Profiles > Antivirus).
- Configure your Antivirus profile.
- SelectWildFire Inline MLand apply anAction Settingfor each WildFire inline ML model. This enforces WildFire inline ML Actions settings for each protocol on a per-model basis. There are three classification engines: Windows Executables, PowerShell Scripts 1, and PowerShell Scripts 2.
- enable (inherit per-protocol actions)—WildFire inspects traffic according to your selections in the WildFire Inline ML Action column in the decoders section of theActiontab.
- alert-only (override more strict actions to alert)—WildFire inspects traffic according to your selections in the WildFire Inline ML Action column in the decoders section of theActiontab and overrides any action with a severity level higher thanalert(drop,reset-client,reset-server,reset-both)alert, which allows traffic to pass while still generating and saving an alert in the threat logs.
- disable (for all protocols)—WildFire allows traffic to pass without any policy action.
- ClickOKto exit the Antivirus Profile configuration dialog andCommityour new settings.
- (Optional) Add file exceptions to your Antivirus Security profile if you encounter false-positives. You can add the file exception details directly to the exception list or by specifying a file from the threat logs.
- Add file exceptions directly to the exceptions list.
- SelectObjects > Security Profiles > Antivirus.
- Select an Antivirus profile for which you want to exclude specific files and then selectWildFire Inline ML.
- Add the hash, filename, and description of the file that you want to exclude from enforcement.
- ClickOKto save the Antivirus profile and thenCommityour changes.
- Add file exceptions from threat logs entries.
- SelectMonitor > Logs > Threatand filter the logs for theml-virusthreat type. Select a threat log for a file for which you wish to create a file exception.
- Go to theDetailed Log Viewand scroll toDetailsand thenCreate Exception.
- Add aDescriptionand clickOKto add the file exception.
- You can find the new file exception in theFile Exceptionslist (.
- (Optional)See Configure WildFire Inline ML for information about testing your firewall’s connection to the inline ML cloud service and viewing related logs.