Create Custom Policy Rules to Control GenAI App Usage (

Strata Cloud Manager

)

Use the
AI Access Security
Insights dashboard to discover risks posed by GenAI apps.
The
AI Access Security
Insights dashboard provides detailed and comprehensive visibility into GenAI app usage across your organization. You can discover risky GenAI app use cases, individual risky GenAI apps, as well as risky users accessing GenAI apps.
Perform the initial
AI Access Security
configuration.
This includes creating an
Enterprise Data Loss Prevention (E-DLP)
data profile to define the sensitive data match criteria and the Vulnerability Protection profile used to stop attempts to exploit system flaws or gain unauthorized access to systems.
For
NGFW
, this also includes creating an internal trust zone and an outbound untrusted zone.
Log in to
Strata Cloud Manager
.
Select
Manage
Configuration
NGFW & Prisma Access
Security Services
Web Security
and select your target
Configure Scope
.
Select
Security Settings
Threat Management
and
Customize
Vulnerability Protection
for your Web Security policy rules.
The Vulnerability Protection settings you configure here are applied to Web Security policy rules.
Select the
Vulnerability Protection Profile
you created during the initial configuration.
Configure the remaining Vulnerability Protection settings as needed.
Save
.
Select
Policies
to continue creating policy rules to control GenAI app usage.
Modify the predefined
Sanctioned GenAI Access
policy rule.
Select the predefined
Sanctioned GenAI Access
policy rule and
Enable
.
Click the predefined
Sanctioned GenAI Access
policy rule to modify it.
Make the required changes for the predefined
Sanctioned GenAI Access
policy rule.
Save
.
Create a custom Web Access policy rule.
Add Policy

.

Enter a descriptive

Name

.

Enable

the Web Access policy rule.

(

Optional

) Add a

Description

for the Web Access policy rule, and add a predefined

Tag

or create a new one.

(

Optional

) Configure a

Schedule

to specify the times the Web Access policy rule is active.

Define traffic to enforce based on the traffic

Source

(where it originates).

For example, based on your risk discovery investigation you determine unauthorized users associated with

User Group A

access a GenAI app sanctioned for use by

User Group B

. In this case you can create a Web Access policy rule to block access to the GenAI and add

User Group A

as the user group

Source

.

Configure

Blocked Web Applications

and

Allowed Web Applications

to define which GenAI apps you want to block or allow access to.

(

Allowed Web Applications

) Only add supported GenAI apps to the list of allowed apps.

Application
—Add one or more GenAI apps.
Application Category
—An application category, otherwise referred to as an application filter, dynamically groups applications based on application filters you define.
For example, you can use a predefined or custom GenAI app filter to dynamically control access to GenAI apps in your organization rather than adding individual GenAI apps or creating an application group that must be updated manually each time a change is required.
Application Group
—An application group is a static grouping of individual apps that you create.

(

Allowed Web Applications

) When adding your allowed application, click the

DLP

column and add a DLP Rule.

Enterprise Data Loss Prevention (E-DLP)

is required to prevent exfiltration of sensitive data and to generate

Sensitive Assets

data when discovering risks posed by GenAI apps.

Configure the rest of the Custom Web Access policy rule as needed.

Save

.
Push Config
and
Push
.