>
    Strata Copilot
    Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Access Security
    3. Administration
    4. Create Custom Security Policy Rules to Control GenAI Access
    5. Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)
    Download PDF
    AI Access Security

    Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)

    Table of Contents

    Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)

    Create custom policy rules in Strata Cloud Manager to control GenAI App usage in your organization.
    Your Internet Access Security policy rules are evaluated and enforced ahead of your Security policy rules. In the event a Internet Access and Security policy rule both apply to the same traffic, the Internet Access policy rule Action and Enterprise DLP inspection configuration take precedence over the Security policy rule. After a successful match to a Internet Access policy rule, no further policy rule evaluation is performed.
    For example, you create Internet Access policy rule and Security policy rule that apply to User Group A and multiple GenAI apps.
    • Internet Access Policy Rule A allows User Group A access to the specified GenAI apps and has an Enterprise DLP Data Profile A associated with the GenAI apps to prevent exfiltration of sensitive data.
    • Security Policy Rule B blocks User Group A's access to the same specified GenAI apps.
    In this case, when any user in User Group A accesses a GenAI app specified in the Internet Access and Security policy rules they are allowed and Enterprise DLP inspection and verdict rendering is performed because Internet Access Policy Rule A is higher in the policy rulebase evaluation order.
    1. Use the AI Access Security Insights dashboard to discover risks posed by GenAI apps.
      The AI Access Security Insights dashboard provides detailed and comprehensive visibility into GenAI app usage across your organization. You can discover risky GenAI app use cases, individual risky GenAI apps, as well as risky users accessing GenAI apps.
    2. If you want to use the existing policies in snippets, perform the initial AI Access Security configuration.
      On Strata Cloud Manager, This includes creating an Enterprise Data Loss Prevention (E-DLP) data profile to define the sensitive data match criteria, associating the predefined Gen-AI-Best-Practice and Application-Tagging snippets, and the Vulnerability Protection profile used to stop attempts to exploit system flaws or gain unauthorized access to systems.
      For NGFW, this also includes creating an internal trust zone and an outbound untrusted zone.
    3. If you want to build your own custom policies, log in to Strata Cloud Manager.
    4. Create a custom Internet Access policy rule.
      • In Strata Cloud Manager, even though you can create custom policy rules through Security Policies for GenAI Apps, it's recommended that you use Internet Access policy rules to create policy rules efficiently.
      • It's not recommended to have both GenAI and non-GenAI apps in the same policy if the Enterprise Data Loss Prevention (E-DLP) license isn't active.
      1. Select Add RuleInternet Access Rule.
      2. Enable the Internet Access policy rule.
      3. Enter a descriptive Name.
      4. (Optional) Add a Description for the Internet Access policy rule, and add a predefined Tag or create a new one.
      5. Configure the Action (Block or Allow).
      6. (Optional) Configure a Schedule to specify the times the Internet Access policy rule is active.
      7. In the Match Criteria section, define traffic to enforce based on the traffic Source (where it originates).
        For example, based on your risk discovery investigation you determine unauthorized users associated with User Group A access a GenAI app sanctioned for use by User Group B. In this case you can create a Internet Access policy rule to block access to the GenAI and add User Group A as the user group Source.
      8. In the Web Application section, configure the Application or URL Category to define which GenAI apps or GenAI app URLS you want to block or allow access to.
        (Allowed GenAI Apps) Only add supported GenAI apps to the list of allowed apps.
        • Application—Add one or more GenAI apps.
        • Application Group—An application group is a static grouping of individual apps that you create.
        • Application Filter—An application filter dynamically groups applications based on app filters you define.
          For example, you can use a predefined or custom GenAI app filter to dynamically control access to GenAI apps in your organization rather than adding individual GenAI apps or creating an application group that must be updated manually each time a change is required.
      9. (Allowed GenAI Apps) In the Security Inspection section, select a file blocking and Enterprise DLP profile to prevent exfiltration of sensitive data.
        • File Control Profile—A File Blocking profile allows you to identify specific file types that you want to block or monitor. You can create a custom File Blocking profile or use the default Best Practice File Blocking profile.
        • DLP Profile—An Enterprise DLP data profile allows you to define the match criteria for sensitive data that you want to inspect for and block to prevent exfiltration of sensitive data. You must assign a data profile to generate Sensitive Assets data when discovering risks posed by GenAI apps.
      10. Configure the rest of the custom Internet Access policy rule as needed.
      11. Save.
    5. Verify that your Access policy rule was successfully created and order it within your policy rulebase as needed.
    6. Push Config and Push.

    © 2026 Palo Alto Networks, Inc. All rights reserved.