Getting Started
  • Getting Started
  • AI Access Security Documentation
  • All Documentation
>
Associate the Application-Tagging Snippet
Focus
Download PDF
Focus
  1. Home
  2. AI Access Security
  3. Getting Started
  4. Associate the Application-Tagging Snippet
Download PDF
AI Access Security

Associate the Application-Tagging Snippet

Table of Contents

Associate the Application-Tagging Snippet

Perform the initial AI Access Security configuration to enable safe adoption of GenAI applications across your organization.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
One of the following:
  • AI Access Security license
  • CASB-PA license
  • CASB-X license
To support tagging, a predefined snippet named Application-Tagging is available in Strata Cloud Manager. This snippet is required to support tag-based policy rule enforcement. The Application-Tagging snippet contains tagging information to indicate which GenAI apps are approved for use within your organization. Tags are written to, and read from, the Application-Tagging snippet to determine whether an app is tagged as Sanctioned or Tolerated. Apps that are not explicitly tagged as Sanctioned or Tolerated are considered Unsanctioned. Tags are displayed in AI Access Security, the Activity Insights Applications page, and the Strata Cloud Manager Command Center from the information in the Application-Tagging snippet.
You can re-tag an app based on a GenAI app’s risk score and other considerations. The changes that you apply are written to the Application-Tagging snippet. You can then push the new tags as configuration changes to the NGFW or Prisma Access deployment. If you have tagging-based rules on the NGFW or Prisma Access deployment, traffic for the re-tagged app will be enforced according to the app's new tag. For example, you might have a rule on the NGFW that allows traffic only for Sanctioned or Tolerated apps. By tagging an app as Sanctioned and pushing the changes to the NGFW, you can allow traffic for the app without having to modify the rule.
To push tags to your NGFW or Prisma Access deployment, you must first associate the Application-Tagging snippet with the appropriate scope. Make sure that you associate the Application-Tagging snippet only with NGFWs or Prisma Access deployments that have the App‑ID Cloud Engine (ACE) enabled. The Application-Tagging snippet uses ACE because the AI Access Security, CASB-PA license, and CASB-X licenses give you access to a wider array of apps through the ACE service. Apps are identified in the Application-Tagging snippet by using ACE App-IDs. For this reason, the configuration push will fail if the NGFW or Prisma Access deployment isn't configured to receive App-IDs from ACE.
  1. Log in to Strata Cloud Manager.
  2. Tag GenAI apps in the Application-Tagging snippet to match the existing tags that you applied to app.
  3. Remove the existing Sanctioned and Tolerated app tags from all Configuration Scopes.
    In September 2024, we updated the way application tagging is implemented. If you tagged apps prior to this update, be aware that tag information displayed in the AI Access Security, the Activity Insights Applications page, and the Strata Cloud Manager Command Center might no longer reflect what is being enforced on the NGFW or Prisma Access deployment. The predefined Sanctioned and Tolerated tags that you applied prior to this update can still affect tag-based policy enforcement on the NGFW or Prisma Access deployment. To ensure correct tag-based policy enforcement, remove all Sanctioned or Tolerated app tags applied prior to this September 2024 update.
    1. Select Manage ConfigurationNGFW and Prisma AccessObjectsApplicationApplications.
    2. Remove all Sanctioned and Tolerated app tags from all other Configuration Scopes.
      1. Change the Configuration Scope to the folder where you previously managed your app tags.
        For example, if you manage your app tags from the Global folder, select Global in the Configuration Scope.
      2. Select your apps from the list of Matching Applications.
        You can use the Sanctioned and Tolerated Tags filters to quickly narrow down the list of tagged apps.
      3. Remove Tag and confirm to remove existing tags.
        This only removes tags added by an admin and not any of the predefined tags associated with the app by default.
      4. Repeat this step to remove all Sanctioned and Tolerated tags from all apps in all Configuration Scopes.
  4. Select ManageConfigurationNGFW and Prisma AccessOverview.
  5. Select Configuration ScopeSnippetsApplication-Tagging.
  6. In the Snippet Associations area, select the settings gear icon to display the scopes that you can associate with the Application-Tagging snippet.
  7. Select the scopes that you want to associate with the Application-Tagging snippet. Remember to make sure that you associate the Application-Tagging snippet only with NGFWs or Prisma Access deployments that have ACE enabled.
    If you tag apps as Sanctioned or Tolerated from the Applications page in Strata Cloud Manager (ManageConfigurationNGFW and Prisma AccessObjectsApplicationApplications), make sure you set the Configuration Scope to the Application-Tagging snippet.
    Tagging to the Application-Tagging scope is important for the following reasons:
    • The tags that are displayed in AI Access Security, the Activity Insights Applications page, and the Strata Cloud Manager Command Center are read from the Application-Tagging snippet. If you tag an application in a different scope, the tags that are enforced by policy might not be the same as the tags shown in the various user interfaces.
    • If the app that is tagged in the Application-Tagging scope and also tagged in a different scope, tag-based policy enforcement will be based on an evaluation order that might cause unexpected enforcement behavior.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.