WildFire
inline ML is not currently supported on the VM-50 or VM50L virtual
appliance.
To take advantage of WildFire inline ML, you must
have an active WildFire subscription to analyze Windows executables.
Verify that you have a WildFire subscription. To verify
which subscriptions that you currently have licenses for, select DeviceLicenses and
verify that the appropriate licenses display and have not expired.
Create a new or update your existing Antivirus security
profile(s) to use the real-time WildFire inline ML models.
Select an existing Antivirus Profile or
create a new one (select Objects > Security Profiles
> Antivirus and Add a new profile.
Configure your Antivirus profile.
Select the WildFire Inline ML tab
and apply an Action Setting for each WildFire
Inline ML model. This enforces the WildFire Inline ML Actions settings
configured for each protocol on a per model basis. The following classification
engines available: Windows Executables, PowerShell Scripts 1, and
PowerShell Scripts 2.
The following additional analysis
models are available upon installation of the specified content
update:
Executable Linked Format (available with installation
of PAN-OS content release 8367 and later)
MSOffice (available with installation of PAN-OS content release
8434 and later)
Shell Scripts (available with installation of PAN-OS content
release 8543 and later)
enable
(inherit per-protocol actions)—WildFire inspects traffic according
to your selections in the WildFire Inline ML Action column in the
decoders section of the Action tab.
alert-only (override more strict actions to alert)—WildFire
inspects traffic according to your selections in the WildFire Inline
ML Action column in the decoders section of the Action tab
and overrides any action with a severity level higher than alert (drop, reset-client, reset-server, reset-both) alert,
which allows traffic to pass while still generating and saving an
alert in the threat logs.
disable (for all protocols)—WildFire allows traffic
to pass without any policy action.
Click OK to exit the Antivirus Profile
configuration window and Commit your new
settings.
(Optional) Add file exceptions to your Antivirus
security profile if you encounter false-positives. This is typically
done for users who are not forwarding files to WildFire for analysis.
You can add the file exception details directly to the exception
list or by specifying a file from the threat logs.
If your WildFire Analysis security profile is configured
to forward the filetypes analyzed using WildFire inline ML, false-positives
are automatically corrected as they are received. If you continue
to see ml-virus alerts for files that have been classified as benign
by WildFire Analysis, please contact Palo Alto Networks Support.
Add file exceptions directly to the exception list.
Select Objects > Security Profiles > Antivirus.
Select an Antivirus profile for which you want to exclude
specific files and then select WildFire Inline ML.
Add the hash, filename, and description of the file that
you want to exclude from enforcement.
Click OK to save the Antivirus profile
and then Commit your updates.
Add file exceptions from threat logs entries.
Select Monitor
> Logs > Threat and filter the logs for the ml-virus threat
type. Select a threat log for a file that you wish to create a file
exception for.
Go to the Detailed Log View and scroll
down to the Details pane then select Create
Exception.
Add a Description and click OK to
add the file exception.
The new file exception can be found File Exceptions list
under Objects > Security Profiles > Antivirus > WildFire
Inline ML.
(Optional) Verify the status of your firewall’s
connectivity to the Inline ML cloud service.
Use the following CLI command on the firewall to view the
connection status.
show mlav cloud-status
For
example:
show mlav cloud-status
MLAV cloud
Current cloud server: ml.service.paloaltonetworks.com
Cloud connection: connected
If you are unable
to connect to the Inline ML cloud service, verify that the following
domain is not being blocked: ml.service.paloaltonetworks.com.
To view information about files that have been detected
using WildFire Inline ML, examine the threat logs (Monitor
> Logs > Threat, then select the log type from the list).
Files that have been analyzed using WildFire inline ML are labeled
with the threat type ml-virus: