By: Nina Smith 

Watch this short video to learn how to enable ATP with Inline Cloud Analysis and prevent zero-day exploits.

Note: PAN-OS 11.0, an ATP license, and a consistent cloud connection are required. 

In Part 1 of our Ignite and Activate Series, we explored how attackers are increasingly motivated to create cyber threats that are more elusive than ever. Among the most dangerous are zero-day exploits, which are attacks that leverage vulnerabilities with no available patch, often targeting weaknesses that the vendor has yet to discover.

So, how can organizations stay ahead of these advanced threats? The answer lies in the power of Palo Alto Networks’ Next-Generation Firewalls, which leverage our Advanced Threat Prevention (ATP) service to detect and block brand-new exploits, even those never seen before.

Beyond Signatures: Detecting the Unknown

Since its inception, Advanced Threat Prevention (ATP) on Next Generation Firewalls (NGFWs) has relied on signature-based detection to block exploits targeting known vulnerabilities. While effective against familiar threats, this approach falls short against never-before-seen exploits designed to evade traditional signatures.

That is where ATP, introduced in PAN OS 10.2, changed the game in C2 threat detection. Enabling Inline Cloud Analysis within the Anti-Spyware profile unlocks robust, real-time detection that stops even the most evasive C2 threats before they can cause harm.

But the story does not end there. ATP is an ever-evolving inline prevention capability. With PAN-OS 11.0, we expanded protection to the initial access stage, where attackers exploit previously undisclosed vulnerabilities. With your ATP license, you now have inline prevention against never-before-seen exploits leveraging techniques like SQL injection and command injection. Activating this protection is as simple as enabling Inline Cloud Analysis within the Vulnerability Protection profile.

Enabling Inline Prevention Through Cloud-Powered Analysis

How it works

When Inline Cloud Analysis is enabled, suspicious traffic is routed to globally distributed, cloud-hosted machine learning and deep learning models for advanced inspection.

The inline element is what makes it powerful. The firewall holds the last byte of traffic until the cloud-based analysis is complete. With ATP’s globally distributed cloud locations, verdicts return to the firewall at lightning speed, enabling real-time inspection without disrupting the end user experience. This seamless, instantaneous process is what makes the analysis truly inline.

Preventing Patient Zero

With PAN-OS 11.0, your firewall can now detect never-before-seen SQL injection and command injection attacks, high-impact techniques often used to exploit previously unknown vulnerabilities. These are vulnerabilities that neither the vendor nor the organization is aware of, making them especially dangerous.

Enabling ATP to defend against Zero-Day Exploits

A Step-by-Step Guide

Activating this critical protection is simple, whether you are managing your environment through Strata Cloud Manager (SCM), the firewall UI, or Panorama.

Activate Strata Cloud Manager (SCM):

1. In the SCM UI, navigate to Manage Configuration > NGFW and Prisma Access.
2. Select your desired configuration scope.
3. Go to Security Services > Vulnerability Protection.
4. Select the vulnerability protection profile currently in use in your security policies.
5. Scroll down to the Inline Cloud Analysis section.
6. Ensure the "Enable inline cloud analysis" box is checked.
7. For both of the machine learning models for injection attacks (Command and SQL), select the desired action. While the default is "Alert," Palo Alto Networks strongly recommends setting all actions to "Reset Both" for the best security posture.
8. Click "Save," then "Push Config," followed by "Push" to apply the changes.

Activate  Firewall UI or Panorama:

1. Navigate to Objects > Security Profiles > Vulnerability Protection.
2. Select the vulnerability protection profile currently in use in your security policies.
3. Click the "Inline Cloud Analysis" tab.
4. Ensure the "Enable inline cloud analysis" box is checked.
5. Based on your organization's policy, select the action for both of the machine learning models for injection attacks (Command and SQL). Again, "Reset Both" is the recommended action for optimal security.
6. Click "OK" to save, and then "Commit" to apply the changes.

Why ATP Matters: Deeper Visibility, Stronger Defense

ATP is the frontline shield your organization needs to stay ahead of modern threats.

When Advanced Threat Prevention (ATP) with Inline Cloud Analysis is enabled on both the Anti-Spyware and Vulnerability Protection profiles, your organization gains advanced protection against highly evasive and adaptable command and control (C2) threats, including zero-day exploits and advanced tools such as Cobalt Strike and Empire.

Each detection generates a detailed cloud report that explains the detection logic and provides valuable context, including CVE references and mapping to the MITRE ATT&CK framework. This equips your security team with deeper insights into the nature and behavior of each threat, empowering smarter, faster decisions. To protect your organization from the most advanced C2 threats, enabling ATP on your Palo Alto Networks firewall is not optional; it is essential. 

Take the step to unmask hidden adversaries and strengthen your defense against today’s most sophisticated attacks.