Configure inline categorization based on the PAN-OS version your management interface
is running.
In PAN-OS 10.2, the URL Filtering Inline ML feature was renamed
to Inline Categorization. As a result, the PAN-OS 10.1 task uses the phrase URL
Filtering inline ML while the PAN-OS 10.2 and Later task uses Inline Categorization. For
more information, review the URL Filtering Inline ML entry in PAN-OS 10.2 Upgrade/Downgrade
Considerations.
Verify that you have an active legacy URL filtering or Advanced URL Filtering
subscription.
Select
Device
Licenses
and confirm that a URL filtering license is available and has
not expired.
Configure the URL Filtering Inline ML settings in a URL Filtering
profile.
Select
Objects
Security Profiles
URL Filtering
, then
Add
or select a URL
Filtering profile.
Select
Inline ML
and define an
Action
for each inline ML model.
There are two classification engines available for each type of
malicious webpage content:
Phishing
and
JavaScript Exploit
.
Block
—When the firewall detects a website with
phishing content, the firewall generates a URL Filtering
log entry.
Alert
—The firewall allows access to the website
and generates a URL Filtering log entry.
Allow
—The firewall allows access to the website
but does not generate a URL Filtering log entry.
Click
OK
to save your changes.
Commit
your changes.
(Optional)
Add URL exceptions to your URL Filtering profile if you
encounter false-positives.
You can add exceptions by specifying an external dynamic list in the URL
Filtering profile or by adding a web page entry from the URL Filtering logs to a
custom URL
category.
Select
Objects > Security Profiles > URL
Filtering
.
Select a URL Filtering profile for which you want to exclude specific
URLs, then select
Inline ML
.
Add
a pre-existing external dynamic list of URL
type. If none is available, create a new external dynamic list.
Click
OK
to save your changes.
Commit
your changes.
Add file exceptions from URL Filtering log entries.
Select
Monitor > Logs > URL Filtering
and filter
the logs for URL entries with an Inline ML Verdict of
malicious-javascript
or
phishing
. Select a URL Filtering log for a
URL that you wish to create an exception for.
Go to the
Detailed Log View
and scroll down to
the
Details
pane, then select
Create
Exception
located next to the
Inline ML
Verdict
.
Select a custom category for the URL exception, then click
OK
.
The new URL exception can be found in the list to which it was added,
under
Objects > Custom Objects > URL
Category
.
(Optional)
Verify the status of your firewall’s connectivity to the
inline ML cloud service.
Use the following CLI command on the firewall to view the connection
status.
show mlav cloud-status
For example:
show mlav cloud-status
MLAV cloud
Current cloud server: ml.service.paloaltonetworks.com
Cloud connection: connected
If you are unable to connect to the inline ML cloud service, verify that the
ML domain ml.service.paloaltonetworks.com is not blocked.
To take advantage of inline categorization, you must
have an active Advanced URL Filtering subscription.
Local inline categorization can be enabled if you
are a pre-existing holder of a legacy URL Filtering subscription.
Verify that you have an Advanced URL Filtering subscription.
To verify subscriptions for which you have currently-active licenses,
select
Device
Licenses
and
verify that the appropriate licenses are available and have not
expired.
Update or create a new URL Filtering profile to enable
cloud inline categorization.
The policy action used by local and cloud inline
categorization is dependent on the configured settings under the
Categories
tab.
Select an existing
URL Filtering Profile
or
Add
a
new one (
Objects
Security Profiles
URL Filtering
).
Select your URL Filtering profile and then go to
Inline Categorization
and
enable the inline categorization methods you want to deploy.
Enable cloud inline categorization
—A cloud-based
inline deep learning engine that analyzes suspicious web page content
in real-time to protect users against zero-day web attacks, including
targeted phishing attacks, and other web-based attacks that use advanced
evasion techniques.
Enable local inline categorization
—A
firewall-based detection engine using machine learning techniques
to prevent malicious variants of JavaScript exploits and phishing
attacks embedded in webpages.
Click
OK
and
Commit
your changes.
(Optional)
Add URL exceptions to your URL Filtering profile
if you encounter false-positives. You can add exceptions by specifying
an external dynamic list or custom URL category list in the URL
Filtering profile. The specified exceptions apply to both cloud
and local inline categorization.
URL exceptions created through other mechanisms that
add entries to the custom URL category (
Objects
Custom Objects
URL Category
)
can
also function as exceptions for inline categorization.
Select
Objects > Security Profiles >
URL Filtering
.
Select a URL Filtering profile for which you want to exclude specific URLs, then select
Inline Categorization
.
Click
Add
to select a pre-existing
URL-based external dynamic list or custom URL category. If none
is available, create a new external dynamic list or custom URL category, respectively.
Click
OK
to save the URL Filtering
profile and
Commit
your changes.
(Optional)
Set the Cloud Content Fully Qualified Domain
Name (FQDN) used by the firewall to handle inline categorization service
requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com
and then resolves to the closest cloud services server. You can override
the automatic server selection by specifying a regional cloud content server
that best meets your data residency and performance requirements.
The Cloud Content FQDN is a globally used resource
and affects how other services that rely on this connection sends
traffic payloads.
Verify that the firewall uses the correct Content Cloud
FQDN (
Device
Setup
Content-ID
Content Cloud Setting
)
for your region and change the FQDN if necessary:
US—
us.hawkeye.services-edge.paloaltonetworks.com
EU—
eu.hawkeye.services-edge.paloaltonetworks.com
UK—
uk.hawkeye.services-edge.paloaltonetworks.com
The
UK-based cloud content FQDN provides Advanced URL Filtering inline
categorization service support by connecting to the backend service
located in the EU (eu.hawkeye.services-edge.paloaltonetworks.com).
APAC—
apac.hawkeye.services-edge.paloaltonetworks.com
(Optional)
Verify the status of your firewall’s
connectivity to the inline categorization servers.
The ml.service.paloaltonetworks.com server provides
periodic updates for firewall-based components related to the operation of
cloud and local inline categorization.
Use the following CLI command on the firewall to view the
connection status.
show mlav cloud-status
For
example:
show mlav cloud-status
MLAV cloud
Current cloud server: ml.service.paloaltonetworks.com
Cloud connection: connected
If you are unable
to connect to the inline ML cloud service, verify that the following
domain is not being blocked: ml.service.paloaltonetworks.com.
The hawkeye.services-edge.paloaltonetworks.com server
is used by cloud inline categorization to handle service requests.
Use the following CLI command on the firewall to view the
connection status.
show ctd-agent status security-client
For
example:
show ctd-agent status security-client
...
Security Client AceMlc2(1)
Current cloud server: hawkeye.services-edge.paloaltonetworks.com
Cloud connection: connected
...
CLI output shortened for brevity.
If
you are unable to connect to the Advanced URL Filtering cloud service, verify
that the following domain is not being blocked: hawkeye.services-edge.paloaltonetworks.com.