Administration
  • Administration
  • AI Access Security Documentation
  • All Documentation
>
Modify Default GenAI App Access Policy Rule to Control GenAI Access
Focus
Download PDF
Focus
  1. Home
  2. AI Access Security
  3. Administration
  4. Modify Default GenAI App Access Policy Rule to Control GenAI Access
Download PDF
AI Access Security

Modify Default GenAI App Access Policy Rule to Control GenAI Access

Table of Contents

Modify Default GenAI App Access Policy Rule to Control GenAI Access

Modify the default GenAI App policy rules in Strata Cloud Manager to control GenAI App usage in your enterprise.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
One of the following:
  • AI Access Security license
  • CASB-PA license
  • CASB-X license
Modify the Default GenAI App Policy rule in Strata Cloud Manager to control GenAI App usage in your enterprise.
  • In Strata Cloud Manager, even though you can create policy rules through Security Policies for GenAI Apps, it is recommended that you use Web Security to create policy rules efficiently.
  • It's not recommended to have both GenAI and non-GenAI apps in the same policy if the Enterprise Data Loss Prevention (E-DLP) license isn't active.
For Strata Cloud Manager, the Default Web Access Policies like Global Web Access and Global Catch All policy rules are used to control outbound traffic and web applications. To control the use of GenAI applications in your enterprise with an out of the box policy, use the Default GenAI App Access policy rules (under Default Web Access Policies). By default, this policy blocks all GenAI apps across your enterprise. To modify this policy:
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationNGFW & Prisma AccessSecurity ServicesWeb Security and select your target Configure Scope.
  3. In the Default GenAI App Access section, click the predefined Default GenAI app Accesspolicy rule.
    This policy controls the access to GenAI applications.
  4. Enable the Default GenAI App Access policy. It's disabled by default.
  5. Select GenAI App Access Policy and open the configuration page.
  6. In the Blocked Web Applications section, select + to add a specific Application Group, Applications, or a Custom Application Group to this list. Select X to delete existing GenAI applications from the list.
    In the following example, you can see the default list of blocked GenAI applications like GenAI Conversational Chat, GenAI Image Editor Generator, and so on.
  7. In the Allowed Web Applications section, select Add to add a specific Application Group, Applications, or a Custom Application Group to this list. Select - to delete existing GenAI applications from the list.
  8. In the Blocked URL Categories section, select + to add specific URL categories, Multi-Category URLs, or Dynamic URL Lists that are malicious and high-risk URL categories. Select X to delete existing URLs from this list.
  9. In the Allowed URL Categories section, select + to explicitly allow URL/custom categories in your enterprise. Select X to delete existing URL categories from this list.
    You can't modify the name and description of the Default GenAI App Access policy.
  10. Save.
  11. Push Config and Push.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.