Policy Recommendation Workflow

1. (All Administrators) Create open lines of communication between administrators who administer different parts of policy recommendation.
   Policy recommendation often requires different administrators to work together to recommend, import, and integrate new SaaS Security and IoT Security policy rules into the PAN-OS or Prisma Access rulebase. Devise a process that ensures good communication when an IoT Security or SaaS Security administrator hands off a policy recommendation to a Panorama, firewall, or Prisma Access administrator. The handoff occurs after an IoT Security or SaaS Security administrator creates a new rule, modifies an existing rule, or deletes a rule and enables (submits in SaaS Security) or activates (IoT Security) the rule.

   The administration workflow is:

   1. SaaS Security Administrators create new rule recommendations, add applications, users/user groups, and DLP profiles, and set the action. They review rule recommendations and then submit them to PAN-OS, Panorama Managed Prisma Access, or Cloud Managed Prisma Access. Review the guidelines for SaaS Security administrator collaboration and authoring.
      IoT Security Administrators evaluate automatically generated rule recommendations, modify them as needed, create policy sets (groups of rule recommendations based on traffic from IoT devices in the same device profile), and submit them to PAN-OS and Panorama Managed Prisma Access.
   2. PAN-OS and Prisma Access Administrators import SaaS and IoT policy recommendations. They evaluate rule recommendations, import them, and add Security profile groups and other objects to the rules. They also order the rules in the Security policy rulebase. When Panorama pushes policy recommendations to firewalls and Prisma Access, the firewall and Prisma Access administrators import the recommended rules.
      Administrators must communicate to add the appropriate objects to the recommended rules and understand the purpose of those rules.
      For Cloud Managed Prisma Access, the same administrator may handle both SaaS policy recommendations and Prisma Access duties, especially if the administrator manages both apps on the cloud management console.
   3. SaaS and IoT Security Administrators update or delete a rule recommendation and then submit the change to PAN-OS or Prisma Access.
      PAN-OS and Prisma Access Administrators see the rule update or deletion and either import the updated rule or delete the rule from PAN-OS or Prisma Access.

   Communication among administrators is crucial so that all parties understand the purpose of recommended rules, the purpose of rule updates, and why a rule is deleted. Communication among administrators helps ensure that SaaS and IoT policy recommendations don't sit in PAN-OS or Prisma Access waiting for an administrator to notice their presence and import them into the rulebase.
2. (SaaS Security and IoT Security Administrator) SaaS Security administrators need to assess the risks of unsanctioned SaaS applications and IoT Security administrators need to understand device profiles, which describe types of unmanaged devices on the network and their behavior.
   IoT Security automatically learns about unmanaged devices on the network and creates a device profile for each set of similar devices. The profile describes the devices' characteristics.

   Be familiar with SaaS applications and IoT devices on your network:

   • SaaS—Wait for at least seven business days of data before you analyze an application for policy recommendation. Gather enough data to understand the application and its business usage.
     IoT—Monitor the list of device profiles to see which ones are eligible for policy recommendation. You can create a policy recommendation when the confidence rating for a device profile reaches 90%, which indicates high confidence about device behavior. Some devices produce less traffic and can take time to achieve a high confidence rating. Allow time for IoT Security to collect sufficient data to achieve a 90% confidence rating.
   • SaaS—Understand how and why users use specific SaaS applications and if there are business reasons to allow those applications.
     IoT—Understand whether the discovered devices belong on your network. If your business is banking, then seeing a medical device on your network may indicate an issue.
   • SaaS—Assess the Security and Privacy, Identity Access Management, and Compliance attributes of SaaS applications based on risk tolerance.
     IoT—In medical environments, assess the compliance risk of medical IoT devices.
   • SaaS—Tag sanctioned, tolerated, and unsanctioned applications to categorize them.
3. (SaaS Security Administrator) Configure predefined SaaS policy recommendations. (IoT Security administrators skip to Step 5.)
   Predefined SaaS policy rule recommendations block application access, personal account access, and content sharing and access, and enforce read-only access for appropriate users. Adding applications to predefined recommendations is an easy way to start locking down SaaS applications.

   To use SaaS Security and Enterprise DLP in the cloud management console, you must enable Web Security in the console. (This is a free feature.)

   In the cloud management console, the same administrator may be able to create SaaS policy recommendations and import them into .

   1. Select a predefined rule. (Discovered AppsPolicy Recommendations in the cloud management console or VisibilitySecurity Rules in the SaaS Security console.)
   2. Select and add applications to the rule. If the rule doesn't apply to all users, add users and user groups. Be sure that you understand applications and application types that you intend to block before you block them, and understand who needs to use certain applications for business purposes.
      Focus on risky application types first, such as file sharing, content management, and collaboration and productivity applications. Reduce uploads to file sharing sites so that only users who need to upload for business purposes have access to only the file sharing applications used for business purposes.
   3. If you have an Enterprise DLP license (best practice), add a DLP profile to inspect traffic for sensitive information and protect against unauthorized access, including predefined profiles for supported DLP applications.
   4. Verify that the rule does what you want it to do in the way you want to do it.
   5. Save the default rule.
   6. Enable the rule to submit it to PAN-OS or Prisma Access. You must enable rules for PAN-OS or Prisma Access administrators to import them.
      Communicate about enabled rule(s) with the administrator who is responsible for checking, evaluating, and importing SaaS policy recommendations.
4. (SaaS Security Administrator) Configure user-defined SaaS policy recommendations. (IoT Security administrators skip to Step 5.)
   Use the filters in the Discovered Applications view to find applications and their usage metrics and to help you understand whether to block or allow an application. Focus on the riskiest application categories, such as file transfer, content management, and collaboration and productivity applications. High Risk applications that also have high Usage tend to have the highest risk potential. Select applications to see who uses the application and how they use it.

   When you configure policy recommendations and submit them, PAN-OS and Prisma Access create any attached HIP profiles, tags, and application groups automatically. If you have an Enterprise DLP license on the target firewalls, the DLP profile is also created (otherwise, the submission fails). The submission fails if the SaaS Security administrator adds any other types of profiles to a rule recommendation and those profiles do not already exist on the firewall. If the attached profile objects exist on the firewall, the submission succeeds. (The PAN-OS or Prisma Access administrator can add profiles to imported rule recommendations. In Cloud Managed Prisma Access, you can only add profile groups, not individual profiles.)

   The appropriate licenses for profiles need to be on all firewalls that import SaaS policy recommendations.

   User groups from CIE are consistent across your organization. If you don't use CIE or if you can't sync from CIE, Users & Groups configuration is not available in SaaS Security and you can't base SaaS policy recommendations on users. The best practice is to use CIE and create application policy based on who needs to access applications for business purposes.

   To enforce SaaS Security and Enterprise DLP, you must enable Web Security in the cloud management console. (This is a free feature.)

   In the cloud management console, the same administrator may be able to create SaaS policy recommendations and import them into .

   To configure best practices SaaS policy recommendations:

   1. Create new SaaS Security policy recommendations:
      • SaaS Security console: VisibilitySecurity RulesCreate New Rule
      • Cloud management console: Discovered AppsPolicy RecommendationsAdd Policy
   2. Follow best practices for specifying the rule Name and Description.
   3. Add applications to the rule.
      Use the category, risk, and capabilities filters to find SaaS applications. Add applications to the rule directly from the filter results. Focus on the riskiest, highest usage applications first.
   4. Select the User Activity to detect. All the applications selected for the rule must support the selected user activities. If an application doesn't support an activity, the interface returns an error.
   5. Configure the rest of the rule's parameters:
      • Users & Groups—You must use and sync from CIE to specify users and groups in SaaS policy recommendation.
      • Device Posture—Specify which types of devices can access the rule's applications. When a rule is imported in PAN-OS or Prisma Access, the device posture automatically creates a Host Information Profile (HIP) object for mobile devices.
      • Data Profile—You must have an Enterprise DLP license in SaaS Security and on targeted firewalls to use this feature. With an Enterprise DLP subscription, you can create rules for a specific DLP profile and block applications only if they contain data that matches the profile.
      • Response—Allow or Block the traffic that matches the rule. Most recommendations are block rules to prevent over-provisioning access.
   6. Verify that the rule does what you want it to do in the way you want to do it.
   7. Save the rule.
   8. Enable the rule to submit it to PAN-OS or Prisma Access. You must enable rules for PAN-OS or Prisma Access administrators to import them.
      Communicate about enabled rule(s) with the PAN-OS or Prisma Access administrator who is responsible for checking, evaluating, and importing SaaS policy recommendations.
      Create SaaS policy rule recommendations provides more details about the workflow.
5. (IoT Security Administrator) Configure IoT policy recommendations (PAN-OS and Panorama Managed Prisma Access only) in the IoT Security app.
   IoT Security automatically generates IoT policy recommendations based on the behavior of devices that belong to a device profile when IoT Security reaches a confidence score (the level of confidence IoT Security has in its identification of a device) of 90% or higher for the profile. The confidence score rises over time as IoT Security gathers more information about the devices. You can edit automatically generated rules before you submit them to Panorama, firewalls, or Prisma Access.

   IoT Security doesn't provide policy recommendations for IT devices such as PCs, smart phones, or tablets, but IoT Security does identify those devices.

   Use the automatic policy recommendations to create policy rule sets based on the behavior of IoT devices in the same device profile across multiple IoT Security tenants. A policy rule set includes the policy rule recommendations you select to control the devices in a device profile.

   1. Create new IoT Security policy recommendations in either of two ways:
      • Navigate to the Profiles page, hover the cursor over a profile name, and click Create Policy Set in the pop-up.
      • Profiles<profile-name>Behaviors, select Outbound Behaviors, select Create Policy, and then click Next.
   2. Select Policies shows the automatically generated policy recommendations for the selected device profile, including the applications the devices use.
      1. Make sure the applications you see in the list are appropriate for the devices. For example, you shouldn't see the iTunes application when you're looking at printers or cameras. If you see unexpected applications in the list, the device may be compromised.
         Know your devices and device profiles so that you can craft appropriate recommendations to govern them.
      2. Check Alerts Raised. Investigate applications with a high number of alerts before you add them to the policy set, especially if the alerts are high or critical severity.
      3. Select the policies you want to apply to the devices. These policies are included in the policy set for the device profile.
         If you don't see an application that you want to include in the policy set, Add Rule to manually select an application and a destination type and Create the rule.
      4. By default, the rule applies to all (Any) destinations detected in traffic for the device profile. If you want to restrict the destinations for an application, click DestinationAny, toggle Allow any destination off, and uncheck destinations you don't want to allow in the list.
      5. When you are satisfied the policy set contains the rules you want, select Next.
   3. In Firewall ConfigurationPolicy configurations, modify automatically generated recommendations as needed. Policy configurations shows the selected applications.
      • Follow best practices for specifying the policy set Name and Description. Be sure the name identifies what the rule does and the description indicates the rule's purpose.
      • Leave Services as application-default to prevent applications from using non-standard ports, which is an indication of evasive, potentially malicious behavior.
      • Add Security profiles and Security profile groups, log forwarding profiles, and other objects in Panorama or on firewalls, not in the IoT Security app.
   4. Review the policy set. When you're sure it's configured as you want it, Create the policy set, which also saves it.
   5. Activate Policy Set to make the policy rule recommendation available for import on Panorama and individual firewalls.
      Communicate about enabled rule(s) with the PAN-OS or Prisma Access administrator who is responsible for checking, evaluating, and importing IoT policy recommendations.

   Create an IoT Policy Set provides more details about the workflow.
6. (Panorama and firewall Administrators) (Cloud Managed Prisma Access administrator for SaaS Security only) Evaluate, import, and if necessary, modify policy rule recommendations.
   Because the cloud management console enables management of all cloud apps in one place, the Cloud Managed Prisma Access administrator might be the same administrator who created the SaaS Security policy recommendations.

   Before you import rules:

   • Create Security profile groups on Panorama, firewalls, and/or the cloud management console that are ready for you to apply to imported SaaS Security and IoT Security policy recommendations. At the least, create profile groups that alert on most traffic and block known malicious traffic to maintain availability As you understand policy recommendations better over time, follow Security profile best practices to make the profile groups as strict as possible without endangering the ability to access critical business applications and devices.
     For SaaS profile groups, know the types of applications and understand who users the applications to determine which profiles to use and how strict they should be at the start.
     For IoT profile groups, know your devices and device profiles so that you can craft appropriate Security profile groups to govern them. Understand what the application in the rule means so you can apply the appropriate Security profiles to the group.
     When you create Security profile groups, consult with the IoT Security and/or SaaS Security administrator to ensure that the Security profile groups make sense for IoT and SaaS policy recommendations.
   • In IoT Security deployments, enable Device-ID in each zone in which you want to control IoT devices. Device-ID is to IoT devices what User-ID is to users and App-ID is to applications—a unique identifier. In zones without Device-ID enabled, you can't enforce Security policy on IoT devices.
   • SaaS policy recommendation requires the App-ID Cloud Engine (ACE), which identifies tens of thousands of SaaS applications so you can create Security policy to control them. ACE requires Log Forwarding to . Follow Log Forwarding best practices when you create the Cortex Data Lake profile.
     If you use ACE App-IDs in any Security policy rule, even if the rule applies only to one user or user group, the firewall enforces the ACE App-ID for all users. (Once you use the ACE App-ID in policy, the firewall enforces the App-ID the same way it enforces content-provided App-IDs.)

   To import SaaS and IoT policy recommendations:

   1. Periodically check for imported rules. Refresh the IoT or SaaS policy recommendation page to ensure that you see the latest policy recommendations:
      • Panorama: PanoramaPolicy RecommendationSaaS or PanoramaPolicy RecommendationIoT.
      • Firewalls: DevicePolicy RecommendationSaaS or DevicePolicy RecommendationIoT.
      • Cloud Managed Prisma Access (SaaS Policy Recommendation only): Select Policy RecommendationManageWeb SecurityWeb Access Policy, and then select the Policy Recommendations tab to see New SaaS Rule Recommendations.
   2. Select and evaluate new rules. Ensure all of the objects, addresses, etc., in the imported rule make sense. If you're not sure about something in the recommendation, talk with the IoT Security or SaaS Security administrator to ensure that you understand the purpose of the rule and its components.
      For SaaS policy rule recommendations, ensure that user access to the applications isn't too broad.
   3. The rule import process enables you to modify the rule as well as position it in the Security policy rulebase. Select a rule or rules to import, then:
      • Panorama and PAN-OS firewalls: Import Policy Rule.
        You can import up to ten IoT policy rules at a time.
      • Cloud Managed Prisma Access (SaaS Policy Recommendation only): ActionsImport.
      Do not finish the rule import until you complete the following steps to add Security and Log Forwarding profiles, assess the rule, and select its order it in the Security policy rulebase.
      When you import a rule, PAN-OS and Prisma Access automatically create some of the rule's objects in the policy rule:
      • Importing IoT policy recommendations automatically creates the Device object, including device-to-IP mappings, based on the IoT device profile.
        After Panorama imports the Device object and pushes it to managed firewalls, the firewalls pull down the device-to-IP mapping directly from the cloud. Panorama is not involved in refreshing the device-to-IP mapping.
      • Importing SaaS policy recommendations automatically creates any required HIP profiles, tags, and application groups. For Enterprise DLP profiles, the target devices must have an Enterprise DLP license. Any other profiles can only be imported if they already exist on the target device.
   4. Add a Security profile group to each rule.
      Using profile groups instead of individual profiles is faster, easier, and prevents accidentally omitting a profile from a rule. It also enables you to start with a profile group that mostly alerts and easily replace it with a stricter profile group as you gain experience with SaaS applications and IoT devices.
      Applying profiles to SaaS application and IoT device rules differs:
      • SaaS Security policy rule recommendations:
        • PAN-OS and Panorama Managed Prisma Access— Apply Advanced Threat Prevention and Advanced URL Filtering best practices profiles to SaaS application traffic.
        • Cloud Managed Prisma Access—You can apply Security profile groups to policy recommendations, but not individual Security profiles. Add Security profiles to a profile group and apply the group to a rule.
          The best practice Security profile recommendations for differ slightly from the recommendations for PAN-OS and Panorama Managed Prisma Access.
      • IoT Security policy rule recommendations—To prevent malicious behavior, make sure Security profiles are appropriate for the device. Work with the IoT Security administrator to understand the behavior and alerts for different devices shown in the device profiles. Apply profiles to IoT policy recommendations based on behavior and alerts. Look for common weaknesses in IoT devices, such as weak manufacturer credentials, connections to risky URLs, out of date antivirus, allowing access to rogue devices, insecure protocols, and EOL operating systems, as well as devices that are unpatched or that can't be patched.
        • Apply Vulnerability Protection profiles and Anti-Spyware profiles (to prevent command-and-control malware) to all devices.
        • If a device has outbound traffic to the internet, especially to unknown destinations, apply Advanced URL Filtering and Advanced Threat Prevention. If the device can send files, add Advanced WildFire and File Blocking profiles.
        • If the device has server ports and accepts incoming connections, apply DoS Protection in addition to File Blocking, Advanced WildFire, and Advanced Threat Prevention profiles.
   5. Add a Log Forwarding profile to each rule.
      • For IoT policy recommendations, add the IoT Security Default Profile - EAL Enabled predefined Log Forwarding profile, which provides all the log types IoT Security requires, including enhanced application logs.
      • SaaS policy recommendation requires ACE to identify SaaS applications. ACE requires Log Forwarding to Cortex Data Lake, so Security policy rules based on SaaS applications also require Log Forwarding to Cortex Data Lake.
        After you import rules, you can apply Log Forwarding profiles to multiple rules at one time using Log Forwarding for Security Services in Policy Optimizer to identify Security policy rules that don’t have a Log Forwarding profile attached (select None in the filter).
   6. In Panorama and in Cloud Managed Prisma Access, select whether the rule is a pre-rule or a post-rule. (Does not apply to standalone firewalls.)
      The precedence order for evaluating rules is pre-rules, then deployment-specific rules, then post-rules. Cloud Managed Prisma Access reside in the shared configuration folder. Panorama pre-rules and post-rules reside in PoliciesSecurity. In Panorama, you can specify device groups for the rule.
   7. Select the rule that you want the imported rule to go after in the Security policy rulebase. Follow rulebase best practices.
      Do not choose No Rule Selection, which places the rule at the top of the Security policy rulebase. The top of the rulebase is often the wrong place for a new rule. For example, a new allow rule won't be subject to critical rules that block known malicious traffic. A new block rule may block access for legitimate users if it isn't placed after an allow rule for the application's legitimate users. Order each rule appropriately in the rulebase.
   8. Check the rule and if you're satisfied with it, import it.
      • Cloud Managed Prisma Access—Import.
      • Panorama and standalone firewalls—OK.
        After importing rules, Panorama administrators must push the rules to managed firewalls and firewall administrators must import them before they become active on the firewall. Refresh DevicePolicy RecommendationIoT or DevicePolicy RecommendationSaaS to see the newest recommendations.
        Firewall administrators may need to modify rules after importing them. Firewall administrators should check with Panorama, SaaS Security, or IoT Security administrators if they're not sure about the purpose of the rule.
        Check the Security policy rulebase to ensure that the rule is in the proper order.
   9. (IoT Security only) After importing the rule, view the Device Object to check the attribute filters for the device.
      Use IoT device attributes in Security policy to better identify devices. Importing an IoT policy rule automatically imports the attributes associated with the device and creates its Device-ID. Device-ID is to IoT devices what User-ID is to people. Although there are six device attributes, firewalls often receive only one attribute from a device. If the Device Object (ObjectsDevices) specifies attributes that the device doesn't send to the firewall, then the traffic doesn't match the device and the rule doesn't control the device, so only specify attributes that devices send to the firewall.
      Click the Device-ID in the rule to pop up its associated Device Object.
      Run the CLI command show iot ip-device-mapping-mp all or show iot ip-device-mapping-mp ip <IP-address> to validate that the firewall receives the attributes imported with the rule. If the firewall doesn't receive an attribute that's configured in the Device Object, remove the attribute from the device object.

   For detailed configuration procedures, refer to the appropriate Administrator's Guide:

   • IoT Security:
     • Import procedure
     • Import a Policy Set into Panorama
     • Configure Device-ID
   • SaaS Security:
     • PAN-OS and Panorama Managed Prisma Access—Import SaaS Policy Recommendations (For standalone firewalls; on Panorama, you also specify whether the imported rule is a pre- or post-rule and push the rule to firewalls after importing it in Panorama.)
     • Cloud Managed Prisma Access—View SaaS policy recommendations, Import new SaaS policy recommendations.
7. (All Administrators) Update and delete policy recommendations as needed to keep the Security policy rulebase up to date.
   Importing policy recommendations is an ongoing process. Administrators recommend new rules, modify rules, and delete old rules. The IoT device population grows and device postures change over time. The number of SaaS applications increases and the applications your enterprise tags as sanctioned, tolerated, and unsanctioned change over time. Create checklists of daily, weekly, and monthly items to monitor and maintain visibility into IoT devices and SaaS applications.

   Procedures to import updated policy recommendations:

   • IoT Security: Modify and update IoT policy rule recommendations includes both the IoT Security and PAN-OS steps.
   • SaaS Security:
     • SaaS Security Inline—Modify Active SaaS Policy Rule Recommendations shows how to modify an existing rule in SaaS Security.
     • Cloud Managed Prisma Access—Update Imported SaaS Policy Rule Recommendations on .
       If the same administrator is both the SaaS policy recommendation and Prisma Access administrator, you can enable automatic updates to automatically apply rule recommendation changes.
     • Panorama Managed Prisma Access and PAN-OS—Import Updated SaaS Policy Recommendation shows how to check for and import updated SaaS Security policy recommendations.

   Procedures to remove deleted policy recommendations:

   • IoT: Delete and remove policy rule recommendations includes both the IoT Security and PAN-OS steps.
   • SaaS Security:
     • SaaS Security Inline—Delete SaaS Policy Rule Recommendations shows how to delete an existing rule in SaaS Security.
     • Cloud Managed Prisma Access—Remove Deleted SaaS Policy Rule Recommendations on .
     • Panorama Managed Prisma Access and PAN-OS—Remove Deleted SaaS Policy Recommendation.