Search

US-20260129021-A1 - ARTIFICIAL INTELLIGENCE ASSISTED CONFIGURATION COMPLIANCE POLICY CREATION AND ENFORCEMENT FRAMEWORK

US20260129021A1US 20260129021 A1US20260129021 A1US 20260129021A1US-20260129021-A1

Abstract

A natural language description of a custom configuration for a firewall is received. A prompt is generated based on the natural language description. The prompt includes a schema. A large language model response that includes verification logic for the firewall based on the schema is received. The verification logic is stored in a database.

Inventors

  • Prem Kumar Jayaraj
  • Chadd Jeffrey Christiansen
  • Vishwas Tantry
  • Miaomiao SHEN
  • Zezhou Chen

Assignees

  • PALO ALTO NETWORKS, INC.

Dates

Publication Date
20260507
Application Date
20241107

Claims (20)

  1. 1 . A method, comprising: receiving a natural language description of a custom configuration for a firewall; generating a prompt based on the natural language description, wherein the prompt includes a schema; receiving a large language model response that includes verification logic for the firewall based on the schema; and storing the verification logic in a database.
  2. 2 . The method of claim 1 , wherein the schema is converted from a first format into a second format.
  3. 3 . The method of claim 2 , wherein the first format is XML and the second format is JSON.
  4. 4 . The method of claim 1 , wherein the verification logic is written in a format that matches a format associated with the schema.
  5. 5 . The method of claim 1 , wherein the natural language description is determined from a conversational interaction between a user and a machine learning service.
  6. 6 . The method of claim 1 , further comprising receiving a modified configuration file associated with the firewall.
  7. 7 . The method of claim 6 , further comprising receiving a notification that a configuration file associated with the firewall has been modified.
  8. 8 . The method of claim 7 , wherein the modified configuration file associated with the firewall is associated with a particular tenant.
  9. 9 . The method of claim 8 , determining that the verification logic stored in the database corresponds to the particular tenant.
  10. 10 . The method of claim 9 , further comprising obtaining the modified configuration file associated with the firewall and the verification logic corresponding to the particular tenant.
  11. 11 . The method of claim 10 , further comprising applying the verification logic corresponding to the particular tenant to the modified configuration file associated with the firewall.
  12. 12 . The method of claim 11 , further comprising determining to revert the modified configuration file associated with the firewall to a previous version of a custom configuration file for the file in response to determining that there are one or more errors associated with the modified configuration file.
  13. 13 . The method of claim 12 , wherein the previous version is a most recent verified version of the custom configuration file.
  14. 14 . The method of claim 11 , further comprising updating firewall settings for the firewall based on the modified configuration file in response to determining that there are no errors associated with the modified configuration file.
  15. 15 . The method of claim 11 , further comprising generating a report based on applying the verification logic corresponding to the particular tenant to the modified configuration file associated with the firewall.
  16. 16 . A system, comprising: a processor configured to: receive a natural language description of a custom configuration for a firewall; generate a prompt based on the natural language description, wherein the prompt includes a schema; receive a large language model response that includes verification logic for the firewall based on the schema; and store the verification logic in a database; and a memory coupled to the processor and configured to provide the processor with instructions.
  17. 17 . The system of claim 16 , wherein the schema is converted from a first format into a second format.
  18. 18 . The system of claim 16 , wherein the verification logic is written in a format that matches a format associated with the schema.
  19. 19 . The system of claim 16 , wherein the natural language description is determined from a conversational interaction between a user and a machine learning service.
  20. 20 . A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving a natural language description of a custom configuration for a firewall; generating a prompt based on the natural language description, wherein the prompt includes a schema; receiving a large language model response that includes verification logic for the firewall based on the schema; and storing the verification logic in a database.

Description

BACKGROUND OF THE INVENTION A network firewall is associated with a default configuration that includes one or more rules. Each rule is associated with a default value (or an industry-defined best practice value for that rule or fields in a rule or any network configuration object). For example, a rule may indicate that a particular port has a default value of “value 1.” These default values may align with industry best practices to ensure the network secured by the firewall remains protected. However, a customer may desire to implement a custom configuration that modifies some or all of the default values associated with the one or more rules (or industry-defined best practice value for a field). The network firewall may be updated to implement the custom firewall configuration. As a result, one or more security vulnerabilities may be introduced into the customer's network. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 is a block diagram illustrating a system to generate a verification logic for a custom firewall configuration and apply the verification logic to a modification to the custom firewall configuration in accordance with some embodiments. FIG. 2 is a flow diagram illustrating a process to generate a verification logic for a custom firewall configuration in accordance with some embodiments. FIG. 3 is a flow diagram illustrating a process to verify a custom configuration modification to a configuration file in accordance with some embodiments. FIG. 4A illustrates an example of a prompt in accordance with some embodiments. FIG. 4B illustrates an example of the verification logic generated by a large language model in accordance with some embodiments. FIG. 5A illustrates an example of a prompt in accordance with some embodiments. FIG. 5B illustrates an example of the verification logic generated by a large language model in accordance with some embodiments. FIG. 6 illustrates an example of a metaschema. DETAILED DESCRIPTION The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions. A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured. A security provider associated with the firewall may provide default settings for a firewall. An administrator of a network associated with a firewall may desire to implement a firewall configuration with settings that differ from the default settings established by the security provider. Currently, a software engineer is needed to generate a custom firewall configuration. A software engineering team currently maintains a library in Python or other code which maintains the industry-defined best practice values for all the fields of the firewall configuration. The code may be written in Python, which can be challenging to maintain and requires a dedicated team for ongoing support. The software engineer may not be a subject matter expert on best practices for a network firewall. The python or other code library runs when a customer makes any configuration changes on their firewall. However, the library cannot support customer specific best practices. A generic f