>
    Define Policy to Control GenAI App Usage
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Access Security
    3. Define Policy to Control GenAI App Usage
    Download PDF
    AI Access Security

    Define Policy to Control GenAI App Usage

    Table of Contents

    Define Policy to Control GenAI App Usage

    Create policies to control the use of GenAI apps in your enterprise.
    Create policies to control the use of GenAI apps in your enterprise.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    One of the following:
    • AI Access Security
       license
    • CASB-PA license
    • CASB-X
       license
    You can create policies to control the use of GenAI Apps in your enterprise. Policies created using Web Security in
    Strata Cloud Manager
     and Security Policies in
    Panorama
     respectively give you precise and granular control of all your GenAI app usage.
    • In
      Strata Cloud Manager
      , even though you can create policies through Security Policies for GenAI Apps, it is recommended that you use Web Security to create policies efficiently.
    • It is not recommended to have both GenAI and non GenAI apps in the same policy if
      Enterprise Data Loss Prevention (E-DLP)
       license is not active.
    For
    Strata Cloud Manager
    , the Default Web Access Policies like
    Global Web Access
     and
    Global Catch All
     policies are used to control outbound traffic and web applications. To control the use of GenAI applications in your enterprise with an out of the box policy, use the
    Default GenAI App Access
     policies (under Default Web Access Policies). Use Custom Web Access Policies to create custom policies to control the use of GenAI apps.
    For
    Panorama
    , use the existing procedure to create security policies to create polices to control the use of GenAI apps in your enterprise.

    Create Custom Policy Rules to Control GenAI App Usage (
    Strata Cloud Manager
    )

    Create custom policy rules in
    Strata Cloud Manager
     to control GenAI App usage in your organization.
    Your Web Security policy rules are evaluated and enforced ahead of your Security policy rules. In the event a Web Security and Security policy rule both apply to the same traffic, the Web Security policy rule Action and
    Enterprise DLP
     inspection configuration take precedence over the Security policy rule. After a successful match to a Web Security policy rule, no further policy rule evaluation is performed.
    For example, you create Web Security policy rule and Security policy rule that apply to
    User Group A
     and multiple GenAI apps.
    • Web Security Policy Rule A
       allows
      User Group A
       access to the specified GenAI apps and has an
      Enterprise DLP
      Data Profile A
       associated with the GenAI apps to prevent exfiltration of sensitive data.
    • Security Policy Rule B
       blocks
      User Group A
      's access to the same specified GenAI apps.
    In this case, when any user in
    User Group A
     accesses a GenAI app specified in the Web Security and Security policy rules they are allowed and
    Enterprise DLP
     inspection and verdict rendering is performed because
    Web Security Policy Rule A
     is higher in the policy rulebase evaluation order.
    1. Use the
      AI Access Security
       Insights dashboard to discover risks posed by GenAI apps.
      The
      AI Access Security
       Insights dashboard provides detailed and comprehensive visibility into GenAI app usage across your organization. You can discover risky GenAI app use cases, individual risky GenAI apps, as well as risky users accessing GenAI apps.
    2. Perform the initial
      AI Access Security
       configuration.
      This includes creating an
      Enterprise Data Loss Prevention (E-DLP)
       data profile to define the sensitive data match criteria and the Vulnerability Protection profile used to stop attempts to exploit system flaws or gain unauthorized access to systems.
      For
      NGFW
      , this also includes creating an internal trust zone and an outbound untrusted zone.
    3. Log in to
      Strata Cloud Manager
      .
    4. Select
      Manage
      Configuration
      NGFW & Prisma Access
      Security Services
      Web Security
       and select your target
      Configure Scope
      .
    5. Select
      Security Settings
      Threat Management
       and
      Customize
      Vulnerability Protection
       for your Web Security policy rules.
      The Vulnerability Protection settings you configure here are applied to Web Security policy rules.
      1. Select the
        Vulnerability Protection Profile
         you created during the initial configuration.
      2. Configure the remaining Vulnerability Protection settings as needed.
      3. Save
        .
    6. Select
      Policies
       to continue creating policy rules to control GenAI app usage.
    7. Modify the predefined
      Sanctioned GenAI Access
       policy rule.
      1. Select the predefined
        Sanctioned GenAI Access
         policy rule and
        Enable
        .
      2. Click the predefined
        Sanctioned GenAI Access
         policy rule to modify it.
      3. Make the required changes for the predefined
        Sanctioned GenAI Access
         policy rule.
      4. Save
        .
    8. Create a custom Web Access policy rule.
      1. Add Policy
        .
      2. Enter a descriptive
        Name
        .
      3. Enable
         the Web Access policy rule.
      4. (
        Optional
        ) Add a
        Description
         for the Web Access policy rule, and add a predefined
        Tag
         or create a new one.
      5. (
        Optional
        ) Configure a
        Schedule
         to specify the times the Web Access policy rule is active.
      6. Define traffic to enforce based on the traffic
        Source
         (where it originates).
        For example, based on your risk discovery investigation you determine unauthorized users associated with
        User Group A
         access a GenAI app sanctioned for use by
        User Group B
        . In this case you can create a Web Access policy rule to block access to the GenAI and add
        User Group A
         as the user group
        Source
        .
      7. Configure
        Blocked Web Applications
         and
        Allowed Web Applications
         to define which GenAI apps you want to block or allow access to.
        (
        Allowed Web Applications
        ) Only add supported GenAI apps to the list of allowed apps.
        • Application
          —Add one or more GenAI apps.
        • Application Category
          —An application category, otherwise referred to as an application filter, dynamically groups applications based on application filters you define.
          For example, you can use a predefined or custom GenAI app filter to dynamically control access to GenAI apps in your organization rather than adding individual GenAI apps or creating an application group that must be updated manually each time a change is required.
        • Application Group
          —An application group is a static grouping of individual apps that you create.
        (
        Allowed Web Applications
        ) When adding your allowed application, click the
        DLP
         column and add a DLP Rule.
        Enterprise Data Loss Prevention (E-DLP)
         is required to prevent exfiltration of sensitive data and to generate
        Sensitive Assets
         data when discovering risks posed by GenAI apps.
      8. Configure the rest of the Custom Web Access policy rule as needed.
      9. Save
        .
    9. Push Config
       and
      Push
      .

    Create Custom Policy Rules to Control GenAI App Usage (
    Panorama
    )

    Create policy rules in
    Panorama™ management server
     to control GenAI App usage in your enterprise.
    1. Use the
      AI Access Security
       Insights dashboard to discover risks posed by GenAI apps.
      The
      AI Access Security
       Insights dashboard provides detailed and comprehensive visibility into GenAI app usage across your organization. You can discover risky GenAI app use cases, individual risky GenAI apps, as well as risky users accessing GenAI apps.
    2. Perform the initial
      AI Access Security
       configuration.
      This includes creating an
      Enterprise Data Loss Prevention (E-DLP)
       data profile to define the sensitive data match criteria and the Vulnerability Protection profile used to stop attempts to exploit system flaws or gain unauthorized access to systems.
      For
      NGFW
      , this also includes creating an internal trust zone and an outbound untrusted zone.
    3. Log in to the
      Panorama™ management server
       web interface.
    4. Select
      Policies
      Security
       and specify the Device Group.
    5. Add
       a new Security policy rule.
    6. Configure the Security policy rule
      General
      ,
      Source
      , and
      Destination
       settings.
      Refer to the Security Policy Administration Guide for detailed information about writing a Security policy rule.
      • General
        —Give the Security rule a descriptive
        Name
        . You also have the option to provide a
        Description
         for the Security policy rule and to apply tags to help identify the purpose of the Security policy rule.
      • Source
        —Define from where traffic must originate for the Security policy rule to apply.
        For the
        Source Zone
        , you can select an internal trust zone. If you want the Security policy rule to apply to all traffic regardless of where it originated, select
        Any
         for all source settings.
        For example, based on your risk discovery assessment you determine that access to a GenAI app is over provisioned and must be narrowed to specific users. In this case you can write an
        Allow
         policy rule and add the required
        Source User
        .
      • Destination
        —Define the target destination for traffic for the Security policy rule to apply.
        For the
        Destination Zone
        , you can select an outbound untrust zone. If you want the Security policy rule to apply to all traffic regardless of what the traffic destination is, select
        Any
         for all destination settings.
    7. In the
      Application
       settings, specify the GenAI Application Group, Application Filter, or Applications.
      (
      Allowed Web Applications
      ) Only add supported GenAI apps to the list of allowed apps.
      • Application
        —Add one or more GenAI apps.
      • Application Category
        —An application category, otherwise referred to as an application filter, dynamically groups applications based on application filters you define.
        For example, you can use a predefined or custom GenAI app filter to dynamically control access to GenAI apps in your organization rather than adding individual GenAI apps or creating an application group that must be updated manually each time a change is required.
      • Application Group
        —An application group is a static grouping of individual apps that you create.
    8. Configure the Security policy rule
      Actions
      . Decide what Actions you want to take on your policy rule. As a best practice, attach Security Profiles to enable the firewall to scan all allowed traffic for threats. Select
      Profiles
       from the
      Profile Type
       drop-down and then select the individual Security Profiles to attach to the rule. Choose the required actions for the following settings for your GenAI apps:
      1. For the
        Action
        , configure the Action the
        NGFW
         takes when traffic from Security policy rule
        Source
         to the
        Destination
         is detected.
        For example, select
        Allow
         if you want to allow access to one or more GenAI apps or
        Deny
         if you want to block all access to one or more GenAI apps.
      2. For the
        Profile Type
        , select
        Profile
        .
        At a minimum you must add the
        Vulnerability Protection
         and
        Data Filtering
         profiles. These are required to generate
        Threats
         and
        Sensitive Assets
         data when discovering risks posed by GenAI apps. The remaining profiles are optional and can be configured as needed. For each of the Security Profile types below you can select an existing profile or create a new one.
        In the
        Actions
         tab,
        Profile Setting
         takes precedence over
        Action Setting
        . So, as a best practice, ensure that both settings are matched properly. For example, even if you have the Action Setting as
        Allow
         and one of the Profile Settings as
        Block
         for ChatGPT, it will be blocked.
    9. Commit and push the new configuration to your managed firewalls to complete the
      Enterprise DLP
       plugin installation.
      This step is required for
      Enterprise DLP
       data filtering profile names to appear in Data Filtering logs.
      The
      Commit and Push
       command isn't recommended for
      Enterprise DLP
       configuration changes. Using the
      Commit and Push
       command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
      • Full configuration push from Panorama
        1. Select
          Commit
          Commit to
          Panorama
           and
          Commit
          .
        2. Select
          Commit
          Push to Devices
           and
          Edit Selections
          .
        3. Select
          Device Groups
           and
          Include Device and Network Templates
          .
        4. Click
          OK
          .
        5. Push
           your configuration changes to your managed firewalls that are using
          Enterprise DLP
          .
      • Partial configuration push from Panorama
        Always include the temporary
        __dlp
         administrator when performing a partial configuration push. This is required to keep
        Panorama
         and the DLP cloud service in sync.
        For example, you have an
        admin
        Panorama
         admin user who is allowed to commit and push configuration changes. The
        admin
         user made changes to the
        Enterprise DLP
         configuration and only wants to commit and push these changes to managed firewalls. In this case, the
        admin
         user is required to also select the
        __dlp
         user in the partial commit and push operations.
        1. Select
          Commit
          Commit to
          Panorama
          .
        2. Select
          Commit Changes Made By
           and then click the current Panorama admin user to select additional admins to include in the partial commit.
          In this example, the
          admin
           user is currently logged in and performing the commit operation. The
          admin
           user must click
          admin
           and then select the
          __dlp
           user. If there are additional configuration changes made by other
          Panorama
           admins they can be selected here as well.
          Click
          OK
           to continue.
        3. Commit
          .
        4. Select
          Commit
          Push to Devices
          .
        5. Select
          Push Changes Made By
           and then click the current
          Panorama
           admin user to select additional admins to include in the partial push.
          In this example, the
          admin
           user is currently logged in and performing the push operation. The
          admin
           user must click
          admin
           and then select the
          __dlp
           user. If there are additional configuration changes made by other
          Panorama
           admins they can be selected here as well.
          Click
          OK
           to continue.
        6. Select
          Device Groups
           and
          Include Device and Network Templates
          .
        7. Click
          OK
          .
        8. Push
           your configuration changes to your managed firewalls that are using
          Enterprise DLP
          .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.