Information
Enable 'Inline Cloud Analysis' on Anti-Spyware profiles to detect and protection against advanced, highly-evasive zero-day command-and-control (C2) threats.
Rationale:
Starting from PanOS 10, Palo Alto Networks now operates a series of ML-based detection engines in the Advanced Threat Prevention cloud to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources.
The cloud-based detection engine logic is continuously monitored and updated using C2 traffic datasets from WildFire, with additional support through manual updates by Palo Alto Networks threat researchers, who provide human intervention for highly accurized detection enhancements.
Solution
Navigate to Objects > Security Profiles > Anti-Spyware
Go to Inline Cloud Analysis tab. Tick the checkbox for Enable cloud inline analysis. Verify that all Model action is set as reset-both.
Note that, firewall device certificate is used to authenticate to the Advanced Threat Prevention inline cloud analysis service. This step is required before Inline Cloud Analysis can be used. Refer to reference for detailed guide.
Default Value:
Not Configured