>
    Strata Copilot
    Modify Default GenAI App Access Policy Rule to Control GenAI Access
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Access Security
    3. Administration
    4. Modify Default GenAI App Access Policy Rule to Control GenAI Access
    Download PDF
    AI Access Security

    Modify Default GenAI App Access Policy Rule to Control GenAI Access

    Table of Contents

    Modify Default GenAI App Access Policy Rule to Control GenAI Access

    Modify the default GenAI App policy rules in Strata Cloud Manager to control GenAI App usage in your enterprise.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Strata Logging Service license
    And one of the following:
    • AI Access Security license
    • CASB-PA license
    • CASB-X license
    Modify the Default GenAI App Policy rule in Strata Cloud Manager to control GenAI App usage in your enterprise.
    • In Strata Cloud Manager, even though you can create policy rules through Security Policies for GenAI Apps, Palo Alto Networks recommended that you use Internet Access Security policy rules to create policy rules efficiently.
    • Palo Alto Networks doesn't recommended having both GenAI and non-GenAI apps in the same policy if the Enterprise Data Loss Prevention (E-DLP) license isn't active.
    For Strata Cloud Manager, AI Access Security includes a predefined Default GenAI App Access to control access to all GenAI apps not explicitly allowed in your enterprise with an out of the box policy. By default, this policy rule blocks all GenAI apps across your enterprise. To modify this policy:
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW & Prisma AccessSecurity ServicesSecurity Policy and select your target Configure Scope (Gen-AI-Best-Practice snippet).
    3. Click the predefined Default GenAI App Access policy rule.
      This policy rule blocks access to all GenAI apps.
    4. Enable the Default GenAI App Access policy rule. It's disabled by default.
    5. In the Web Application section, configure the Application and URL Category as needed. By default, Default GenAI App Access policy rule blocks access to all GenAI apps. However, you can modify the predefined policy rule to block specific apps by selecting individuals, application groups, or application filters.
      • Application—Add one or more GenAI apps.
      • Application Group—An application group is a static grouping of individual apps that you create.
      • Application Filter—An application filter dynamically groups applications based on app filters you define.
        For example, you can use a predefined or custom GenAI app filter to dynamically control access to GenAI apps in your organization rather than adding individual GenAI apps or creating an application group that must be updated manually each time a change is required.
    6. Save.
    7. Push Config and Push.

    © 2026 Palo Alto Networks, Inc. All rights reserved.